As if 2020 weren't bad enough, some T-Mobile customers are winding down the year with word of a data breach. According to reports from BleepingComputer and AndroidPolice, T-Mobile has within the past few days begun to notify affected subscribers of "malicious, unauthorized access" to some of their account information.
"We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved," the carrier said in a security notice shared with customers. "We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers."
Thankfully, compared to the kinds of data hackers obtained in prior attacks on the carrier and its partners, the scope of this most recent incident is considerably narrower. T-Mobile said the attack was limited to what the FCC regards as "customer proprietary network information," which can include phone numbers, the number of lines associated with the account, and potentially information about calls placed, like phone numbers called, timing and duration. The carrier further stressed that the data accessed "did not include names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax ID, passwords or PINs."
In a statement provided to BleepingComputer, the carrier said that the breach affected only a small fraction -- less than 0.2 percent -- of the more than 100 million people in its subscriber base. That may not sound like many at all, but the math still works out to some 200,000 potentially affected people. More importantly, those who have been contacted by T-Mobile should do their best to stay on guard. While the data obtained may not be enough to put those people at immediate risk, it could still be used in tandem with information obtained in other leaks and data breaches to coordinate phishing attempts and social engineering attacks. (We have contacted T-Mobile for comment, and will update this story if the company responds.)