- T-Mobile telecom company is looking into an alleged data breach that has compromised over 100 million clients.
- The hacker is demanding a 6 BTC ransom in exchange for 30 million social security numbers.
US telecom giant T-Mobile is investigating a potential massive hack that may have compromised over 100 million of its users. This came to be when a forum post claimed to be selling a large amount of personal data surfaced. The data seller did not specifically mention T-Mobile but did tell media outlet Vice that data obtained came from T-Mobile servers.
Importantly, the stolen data includes names, social security numbers, phone numbers, physical addresses, unique IMEI numbers, and driver license information, claimed by the seller. Motherboard managed to see samples of these data and confirmed that they contained critical information on T-Mobile customers.
“T-Mobile USA. Full customer info,” the seller told Motherboard in an online conversation.
T-Mobile and the hacker’s demands
In exchange for a subset of the data, the seller wants 6 BTC, equivalent to about $284,000 at current prices. The subset contains 30 million social security numbers and driver licenses. The seller also claims that they have already begun privately selling the rest of the data.
Referring to T-Mobile’s alert and respond to the breach, the hacker said,
I think they already found out because we lost access to the backdoored servers.
Nonetheless, this will likely not be a setback since the sellers said they had already downloaded the data locally. They had also backed it up in multiple places.
A T-Mobile spokesperson noted that:
We are aware of the claims made in an underground forum and have been actively investigating their validity, we do not have any additional information to share at this time.
Mounting tech attacks
Historically, T-Mobile has been hit by one after another cyber-security scandal. In February, the mobile carrier was sued by a victim who lost $450,000 in Bitcoin in a SIM-swap attack. The plaintiff Calvin Cheng accused T-Mobile of failure to implement adequate security policies as a prevention strategy.
Notably, SIM-swap attacks happen when a victim’s cell phone number is stolen. Hackers then use it to hijack the victim’s online financial and social media accounts. They intercept automated phone calls or messages used for two-factor authentication security measures giving them unauthorized access to accounts.
In July 2020, the same company was sued by the CEO of Veritaseum crypto company over a series of SIM swaps. The CEO alleged that the attack had resulted in the loss of $8.7 million worth of digital assets.
As much as technology is expanding, these events point to systems susceptibility and the need for superior security measures. For instance, cryptocurrency hardware wallets providers have long marketed their product as “immune” to malware.
However, hardware wallet manufacturer Ledger was slapped with a class-action lawsuit in April for lack of the said immunity. Ledger had a data breach in which the personal data of 270,000 customers was stolen between April and June 2020. DeFi platforms Poly Network and Neko Network were also recently hit with multi-million asset thefts.
