Cyber Incident Victim: T-Mobile US
Date:
Feb 2023
Location:
United States of America
Summary
T-Mobile experienced a data breach where attackers accessed accounts of approximately 800 customers using compromised credentials over a month-long period starting in late February. Exposed information included names, contact details, account numbers, PINs, Social Security numbers, government IDs, birthdates, billing balances, internal service codes, and line counts, though financial data and call records remained unaffected. The company detected unauthorized activity in March, reset affected account PINs, and offered impacted individuals two years of credit monitoring. This marked the carrier's second security incident of the year, following a separate breach months earlier impacting significantly more customers through an API vulnerability.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
T-Mobile experienced a data breach between late February and March 2023, marking its second cybersecurity incident of the year. The company detected unauthorized access through its security monitoring systems in March 2023, discovering that attackers had compromised a limited number of customer accounts over approximately one month. While the breach affected only 836 customers—a significantly smaller scope than previous incidents—the exposed data included highly sensitive personally identifiable information. The compromised details varied per individual but encompassed full names, contact information, account numbers, associated phone numbers, T-Mobile account PINs, social security numbers, government IDs, dates of birth, account balances, internal service codes (such as rate plans and feature identifiers), and line counts. Notably absent from the breach were customer call records and personal financial account information. T-Mobile initiated containment by resetting account PINs for all impacted customers upon discovery and began notifying affected individuals via breach notification letters distributed on April 28, 2023.
This incident followed a larger January 2023 breach where attackers exploited an API vulnerability to access 37 million customer records, which T-Mobile detected on January 5 and contained within 24 hours. The March breach differed in both scale and methodology, involving compromised credentials rather than API exploitation. As remediation, T-Mobile offered affected customers two years of complimentary credit monitoring and identity theft protection through TransUnion's myTrueIdentity service. The company's spokesperson confirmed their systems functioned as designed to detect the intrusion but declined to specify how credentials were obtained or whether employees were involved. Historical context reveals this as T-Mobile's eighth disclosed breach since 2018, with prior incidents including a 2019 prepaid customer exposure, 2020 employee data theft, 2021 unauthorized application access, and 2022 Lapsus$ gang infiltration using stolen credentials. The recurrence of breaches highlights persistent security challenges despite implemented detection mechanisms and response protocols.