A hacker is selling a dataset containing privacy-sensitive data of more than a hundred million people on a forum on the dark web. He claims the information came from T-Mobile's servers. The provider is investigating the hacker's statement. So writes US tech site Motherboard, which has been in contact with the seller.
The stolen dataset contains a variety of personal information, including names, addresses, IMEI numbers, driver's license information, and social security numbers (citizen service numbers). The attacker sent a sample of the dataset to Motherboard's editors. Which confirmed that the data is real and contains accurate information from T-Mobile customers.
In a chat conversation with the tech site, the hacker tells us that the data came from several of T-Mobile's poorly secured servers. Currently, the perpetrator no longer has access to the company's servers. He suspects that T-Mobile discovered the backdoor he had set up and closed it. But not before he had captured customer data of more than a hundred million customers. Moreover, he made multiple backups of this data.
On a hacker forum on the dark web, the attacker is demanding a sum of six bitcoin for a subset of thirty million social security numbers and driver's licenses. At the current exchange rate, that works out to over 240,000 euros.
Commenting to Motherboard, T-Mobile said it is aware of the claim of a major data breach. "We are aware of claims on an underground forum and are currently investigating their validity. We have no additional information to share at this time," a company spokesperson said. The provider declined to respond to follow-up questions from the tech site.
As far as is known, no personal data of Dutch T-Mobile customers were captured and the above story only relates to U.S. customers. The provider came into disrepute earlier this year because of a partnership with the Central Bureau of Statistics (CBS).
In fact, between January 2018 and April 2020, T-Mobile shared non-anonymized location and call data of customers with researchers from CBS. At the provider's headquarters, five employees of the statistics agency worked during this period to develop an algorithm that could use location data to measure the mobility and residence behavior of Dutch citizens.
CBS employees had "full access" to customers' non-anonymized location data. With this data, it is possible to find out where users were when they made a phone call. Also, the researchers could see when and with whom someone was in contact.
T-Mobile customers were not informed of the cooperation with CBS. The Telecom Agency and the Autoriteit Persoonsgegevens were also unaware of the partnership between the telecom company and the statistics agency. In a response, both regulators let it be known that this never came up during regular consultations. They therefore want the bottom line to be revealed. Several groups in the Lower House submitted written questions to outgoing Minister for Legal Protection Sander Dekker, Minister of Economic Affairs and Climate Bas van 't Wout and State Secretary to the same ministry Mona Keijzer.
