T-Mobile data breach puts 48 million people at severe risk of identity theft [updated]

The front of a T-Mobile retail store in the Boston area.
(Image credit: m_sovinskii/Shutterstock)

Updated Aug. 27 with note from T-Mobile's CEO.

T-Mobile yesterday (Aug. 17) posted an update on its most recent data breach. While the company seems to be trying to reassure people, it's hard to put a positive spin on this news, which is about as bad as it gets.

T-Mobile said that only about 49 million current, former and prospective T-Mobile customers had their personal account information stolen — not 100 million as a hacker claimed on an internet forum this past weekend.

Regardless of how many millions of people had their T-Mobile data hacked, the upshot is this: If you've ever applied for a T-Mobile postpaid account, you now have to assume that your name, address, date of birth and Social Security number have been fully compromised. 

You have to assume that anyone could use that information to open accounts in your name, sell your Social Security number, get an ID card in your name or even use your name while they're being arrested.

What you need to do about T-Mobile's data breach

Here's what you need to do if you have ever had or have ever applied for a T-Mobile postpaid account. (We'll get to T-Mobile prepaid customers in a minute.)

  • Take T-Mobile up on its offer of two years of McAfee ID Theft Protection Service.
  • Put a fraud alert on your credit files with Equifax, Experian and TransUnion. (Here's how.)
  • Consider instituting a credit freeze with the Big Three credit-reporting agencies. (Here's how.)
  • If you have a T-Mobile account, change your T-Mobile account PIN and password.
  • If you have a T-Mobile account, take the offer to set up Account Takeover Protection.

Lastly — and we don't say this flippantly — consider dropping T-Mobile and switching to a wireless carrier that does a decent job of protecting your personal information. This is the fourth or fifth major T-Mobile data breach in the past three years, and if this company's track record is any indication, it won't be the last.

All you need to steal someone's identity

In its post yesterday (Aug. 17), T-Mobile said that "we were able to verify that a subset of T-Mobile data had been accessed by unauthorized individuals."

Approximately 7.8 million current T-Mobile postpaid customers, and "just over 40 million" former postpaid customers, as well as prospective customers who had applied for postpaid accounts, had their full names, dates of birth, Social Security numbers and driver's-license or ID numbers compromised.

The bright side — if there is one — is that there is "no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information." 

Nor were any "phone numbers, account numbers, PINs [or] passwords" compromised for these 48 million people, although T-Mobile is recommending these people reset their PINs anyway.

That's nice, but the theft of Social Security numbers is a lot more serious. It's not hard to cancel credit cards or reset PINs, while your Social Security number stays with you for life.

T-Mobile prepaid accounts also hit, but not as badly

However, that's not all. The company said "approximately 850,000" people with "active" prepaid T-Mobile accounts had their "customer names, phone numbers and account PINs" compromised. T-Mobile said it has reset all those PINs already.

These people did not have their Social Security numbers exposed, T-Mobile said. Nor does it mention dates of birth or home addresses, two things that people with prepaid accounts may not have to provide when setting up an account.

If you have a T-Mobile prepaid account, you should reset your PIN again, as well as your account password, but you're probably good regarding potential identity theft. 

The company added that "no Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed." 

But it didn't say anything about current or former Sprint postpaid, or current Sprint prepaid, customers. It's possible that more bad news might come out of this already awful data breach.

Update: T-Mobile CEO posts apology

On Aug. 27, T-Mobile CEO Mike Sievert put up a blog post apologizing for the data breach (which affects 54 million people, not the 48 million of earlier) and announcing that the company had entered into "long-term partnerships" with enterprise-security firm Mandiant and global accounting firm KPMG to prevent future security mishaps.

"I want to say we are truly sorry," Sievert wrote. "We didn’t live up to the expectations we have for ourselves to protect our customers."

Sievert said that nearly every current T-Mobile customer whose personal information was compromised in the breach has been notified, adding that "we are also now working diligently to notify former and prospective customers."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.