A hacker sells a dataset with privacy-sensitive data of more than a hundred million people on a forum on the dark web. He claims that the information comes from T-Mobile’s servers. The provider is investigating the hacker’s statement.
The stolen dataset contains a variety of personal data, including names, addresses, IMEI numbers, driver’s license data, and social security numbers. The attacker sent a sample of the dataset to Motherboard’s editors. This confirms that the data is real and contains accurate information from T-Mobile customers.
In a chat conversation with the tech site, the hacker says that the data comes from various poorly secured T-Mobile servers. At this point, the perpetrator no longer has access to the company’s servers. He suspects that T-Mobile discovered the backdoor he had installed and closed it. But not before he had stolen customer data from more than a hundred million customers. In addition, he has made several backups of this data.
On a hacker forum on the dark web, the attacker asks for an amount of six bitcoins for a subset of thirty million social security numbers and driver’s licenses. At the current exchange rate, that amounts to more than 240,000 euros.
In a response to Motherboard, T-Mobile says it is aware of the claim of a major data breach. “We are aware of claims made in an underground forum and are currently investigating their validity. We have no additional information to share at this time,” a company spokesperson said. The provider declined to respond to follow-up questions from the tech site.
As far as is known, no personal data of Dutch T-Mobile customers has been stolen and the above story only relates to American customers. The provider was discredited at the beginning of this year because of a partnership with Statistics Netherlands (CBS).
Between January 2018 and April 2020, T-Mobile shared non-anonymous location and calling data of customers with researchers at CBS. During this period, five employees of the statistical office worked at the provider’s head office to develop an algorithm that could measure the mobility and residence behaviour of Dutch people using location data.
The CBS employees had ‘full access’ to non-anonymized customer location data. With this data, it is possible to find out where users were when they made a phone call. The researchers were also able to see when and with whom someone had contact.
T-Mobile customers were not informed about the collaboration with CBS. The Telecom Agency and the Dutch Data Protection Authority were also not aware of the partnership between the telecom company and the statistical office. In response, both supervisors said that this was never discussed during regular consultations. They also want the bottom stone to come up. Various factions in the House of Representatives put written questions to outgoing Minister for Legal Protection Sander Dekker, Minister for Economic Affairs and Climate Policy Bas van ‘t Wout and State Secretary to the same ministry Mona Keijzer.
Update (August 17): In a press statement, T-Mobile confirms that ‘unauthorized persons’ have had access to the company’s data. The telecom company cannot yet confirm that personal data has been stolen by the perpetrators. She does say she is confident that the leak has been sealed.
“We are continuing our in-depth technical investigation into all of our systems to determine the nature of the illegally accessed data,” the press release reads. This investigation is expected to take some time. The issue is said to be a top priority. “Until we complete this investigation, we cannot confirm the reported number of files affected or the validity of statements made by others.”
T-Mobile will inform all victims. To do this, the provider first wants to have a more complete and verified understanding’ of the situation. If the company knows exactly what has happened, it will ‘actively communicate with customers and other stakeholders.
Catch up on more articles here
Follow us on Twitter here