What to Do If You're Concerned About the T-Mobile Data Breach
Exposed data includes driver's license info and Social Security numbers. Some simple steps can protect your sensitive information.
Cell phone carrier T-Mobile has rolled out new tools, including free identity protection services, to help customers affected by a large data breach. According to T-Mobile, criminals acquired the personal data of almost 50 million consumers.
T-Mobile says preliminary analysis of the breach indicates that the stolen files contained account information from approximately 850,000 T-Mobile prepaid customers and 7.8 million regular monthly customers, as well as more than 40 million records related to former or prospective customers who had applied for credit with T-Mobile, a company spokesperson said in an e-mail to Consumer Reports.
For the prepaid customers, the exposed data included names, phone numbers, and account PINs, the company said. T-Mobile has proactively reset the PINs on those accounts. (No Metro by T-Mobile, former Sprint prepaid, or Boost customers had that info revealed.)
The stolen data on other T-Mobile customers included their first and last names, dates of birth, Social Security numbers, and driver’s license/ID information. However, their phone numbers, account numbers, PINs, passwords, and financial information were not compromised, the company said.
The vulnerability that let criminals gain access to the data has been fixed, according to T-Mobile.
Earlier reporting put the number of affected accounts at 100 million, with the tech site Motherboard reporting that criminals claimed to have accessed and copied data including Social Security numbers and other sensitive data such as the International Mobile Equipment Identity (IMEI) numbers that serve as a phone’s digital fingerprint.
How to Protect Yourself
There’s no easy way to prevent a thief from using your Social Security number or your driver’s license number, but there are things you can do to limit the impact of having such personal info exposed to criminals.
Because of the ongoing COVID-19 crisis, the bureaus are offering free weekly credit reports through April 20, 2022. Before the pandemic, each offered a single free report annually and charged $20 for additional reports.
You’ll need to lift the freeze temporarily when you want to give a company access to your credit information—say, if you’re applying for a credit card or a car loan, or you want to rent an apartment.
Beef up your password game. While password information doesn’t seem to have been affected by the T-Mobile breach, the company is suggesting that customers change their passwords by logging in to their accounts or calling customer service by dialing 611 on their cell phones, although as of the morning of Friday, Aug. 20, the wait to talk to a representative was 45 minutes.
While using a different password for each account is one of the basic principles of digital security, if you sometimes recycle passwords, you should also change the passwords on other accounts that have the same credentials used on your T-Mobile account.
This might also be a good incentive to start using a password manager, a service that helps you create and store unique, complex passwords for each of your accounts.
Use multifactor authentication. In addition to using strong, unique passwords for every online account, it’s also smart to set up multifactor authentication, often called two-factor authentication.
When you turn on MFA, which is available for financial sites, social media sites, and many others, you need your password plus a second form of ID to log in. That way, if thieves get your password, they still won’t be able to access your account. The most common way to use MFA is probably to have the site send you a text message with a code that you enter into a pop-up box, but security experts say it’s better to use a smartphone app or physical security key.
Delete unused accounts. Any data breach can serve as a reminder that the more digital accounts you have, the greater the risk of your data being misused or stolen. You obviously can’t delete your cellular account, but you can take some time to locate other accounts that you haven’t used in years. Begin by typing your usernames, old and new, into a search engine and looking for combinations of your name and email address. You can also look for phrases such as “welcome to” or “new account” in your inbox, or look for saved log-ins in your search engines.
For more information on enhancing your digital security, use the CR Security Planner, a free tool that can help you create and save a personalized to-do list.
Editor’s Note: This article has been updated with information about services T-Mobile is offering customers affected by the data breach. The article was originally published Aug. 16, 2021.