Cyber Incident Victim: T-Mobile US
Date:
Feb 2021
Location:
United States of America
Summary
A telecommunications provider experienced a data breach following SIM swapping attacks, where unauthorized actors accessed an internal application to target approximately 400 customers. The attackers obtained account information including names, addresses, social security numbers, PINs, security questions, and call records, enabling fraudulent number porting to bypass multi-factor authentication. The company terminated the unauthorized access, implemented protective measures, and offered affected customers credit monitoring services. This incident is part of a series of prior breaches involving unauthorized access to customer and employee data over recent years.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In February 2021, T-Mobile disclosed a data breach following unauthorized SIM swapping attacks targeting an unknown number of customers. The incident involved an unknown actor gaining access to customer account information through methods not fully determined, though evidence suggested potential exploitation of an internal T-Mobile application or compromised user accounts. Attackers leveraged this access to port victim phone numbers to SIM cards under their control, enabling interception of calls and messages. This technique allowed bypassing SMS-based multi-factor authentication (MFA) mechanisms, facilitating unauthorized access to victims' online accounts for financial theft, credential theft, and account lockouts. Compromised data included full names, addresses, email addresses, account numbers, Social Security numbers (SSNs), account PINs, security questions and answers, dates of birth, service plan details, and line subscription counts. T-Mobile detected and terminated the unauthorized activity, implementing unspecified measures to prevent recurrence. The company notified affected customers via breach notices dated February 9, 2021, filed with state attorney generals' offices. This marked T-Mobile's fifth security incident in four years, following breaches in 2018 (affecting millions), 2019 (prepaid customers), March 2020 (customer/employee data), and December 2020 (call records).
Subsequent investigation revealed attackers targeted approximately 400 customers through SIM swap attempts using T-Mobile's internal systems, with no impact to T-Mobile for Business accounts. The company advised impacted individuals to reset account passwords, PINs, and security questions/answers while offering two years of complimentary credit monitoring and identity theft protection via TransUnion's myTrueIdentity service. Forensic analysis confirmed the attackers' access pathway did not involve business customer accounts. At least one confirmed SIM hijacking incident occurred within the month preceding disclosure, though the full scope of financial or reputational damage to customers remained unquantified in public filings. Historical breach patterns indicated persistent vulnerabilities in T-Mobile's customer data protection frameworks, with four preceding incidents between 2018-2020 collectively exposing diverse datasets including call records, employee information, and customer credentials across multiple attack vectors.