This past week saw two huge data breaches with cellular service providers in the US. According to two different reports, up to 100 million T-Mobile and 70 million AT&T customers’ data has been stolen and is available for sale. While both T-Mobile and AT&T are still investigating, both breaches look pretty real and serious.
Data Breach Details
The stolen data available from each provider are similar in nature, and may contain any or all of the following information:
- Phone number
- Physical address
- Email address
- Social security number
- Drivers license number
- Date of birth
It’s not clear yet which customers were hit, but in some cases the information relates to prior customers and even prospective customers. It’s also not clear yet how the data was stolen. AT&T, for example, is so far claiming that the data didn’t come from their servers. That’s small consolation for their customers, however.
Ticking Time Bomb
This level of data breach is going to cause serious problems for the affected customers. This information will surely be used for identity theft, phishing, social engineering attacks, hacked accounts and social security scams. Most of these pieces of information cannot be easily changed, and may be circulating in darker corners of the internet forever.
As of the writing of this article, I don’t believe either carrier has notified their customers. We can only hope that these notifications will go out expeditiously because the bad guys will start utilizing this information sooner rather than later.
What Can I Do?
Once AT&T and T-Mobile get a handle on which customers were affected, they will hopefully be contacting you. But until then, if you’re an AT&T or T-Mobile cellular customer, you should assume that your data has been leaked. You can try searching for your international mobile phone number (like, with the country code) on HaveIBeenPwned.com, too.
One of the best protections against identity theft in the US is to freeze your credit. But you should also be keeping a close eye on your credit report. Look for lines of credit and other accounts that you didn’t open. AT&T and T-Mobile may offer you free credit-monitoring service due to this data breach. If so, I would take it. However, if they ask for a credit card number, make sure you’re getting the free version and note when the free period will end (i.e., they will begin charging your card). You might set a reminder for yourself to drop the service when the free period ends.
You should also be on guard for convincing phishing attacks and other scams based on your personal data. Keep a close eye on your financial accounts, medical benefits, and federal accounts such as the IRS and Social Security (even if you’re not drawing on it yet). If you haven’t created online accounts with the IRS and SSA yet, you should do so now. (Honestly, everyone should do this.) Turn on two-factor authentication, as well.
Cloning Your Phone
Note that with the information stolen here, you need to watch out for someone trying to clone your cell phone. This is a hack called SIM swapping. If someone can convince your mobile carrier that they are you and get a SIM card for your account, then they will be able to make/receive calls and send/receive plain SMS messages as if they were you. And if you’ve signed up for two-factor authentication (2FA) using SMS (as opposed to time-based PIN codes), then the bad guys will able to receive those codes on their cloned mobile phone. So you should look at any of your online accounts that are currently using SMS-based two-factor auth and change to using an authenticator app, if possible.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!