T-Mobile Hack. PHOTO: Cybercrime Magazine.

T-Mobile: Hacked Again. Customer Insecurity Persists.

SIM swap attacks are the worst fear

Paul John Spaulding

Northport, N.Y. – Mar. 21, 2023

I was hacked, I think…

Earlier this year, an attacker obtained customer names, billing addresses, emails, phone numbers, and birth dates from 37 million T-Mobile patrons. Because I’m not a T-Mobile customer, I didn’t think this incident would affect me… I was wrong.

I use Google Fi, a Mobile Virtual Network Operator, which — along with Mint Mobile, Metro by T-Mobile, and a few others — rents T-Mobile’s infrastructure to provide cell phone service.

I reached out to Cybercrime Magazine’s chief security officer, Scott Schober, to better understand the situation.

“The scary part to me is that T-Mobile has acknowledged this is the 8th data breach they have experienced since 2018. They have a poor track record of keeping data safe,” he said.

Cybercrime Radio: T-Mobile Is Hacked Again

How many users will be affected?

According to Schober, coincidentally author of the popular book “Hacked Again,” the good news for Google Fi users is that “hackers only accessed phone numbers, SIM card serial numbers, account status, and data plan information.”

The bad news, however, is that these bad actors can piece together the stolen metadata with other compromised information to build a profile of their victims, which can then be sold on the dark web. In some cases, this is just the tip of the iceberg when it comes to cybercrime.

“The single biggest fear you have is a SIM swap attack,” explained Schober.

A technique used by attackers across cyberspace, SIM swapping can quickly and efficiently give a criminal access to a person’s phone number, as well as their two-factor authentication codes. The devastation from these attacks can be enormous.

Rob Ross, a former Apple engineer, and Gregg Bennett, a technology angel investor, each lost more than a million dollars to a SIM swap scheme. For Ross, it represented his life savings.

As Schober pointed out earlier, T-Mobile has a poor track record.

In 2022, the company was breached over 100 times. In 2021, the Social Security numbers and information from driver’s licenses of over 40 million people who applied for T-Mobile credit were exposed. Major breaches also occurred in 2020 and 2019.

To reassure customers, T-Mobile launched a $150 million initiative in 2021 to improve its digital security, but recent events imply that it may not be enough.

End users are only so forgiving, and as I’ve discussed with Steve Morgan, the editor-in-chief of Cybercrime Magazine, many times, companies under digital attack are victims even as we question their cybersecurity resiliency.

So, how can consumers and businesses protect themselves?

Schober’s guidance is the same for everyone. “Besides the obvious safeguard of changing your password,” freeze your credit so it’s harder for hackers to steal your identity, enable multi-factor authentication using an alternative method like a dedicated authenticator app or a hardware key generator, and disable SMS verification for your T-Mobile account in favor of a more secure option.

Like any chain, the weakest link is what matters.

Paul John Spaulding is GM Production at Cybercrime Magazine.