German-headquartered telecoms provider T-Mobile has now disclosed it has experienced a data breach in the US after multiple members of its customer base were impacted by malicious SIM swap attacks.

The number of attacks remains undisclosed

In a data leak advisory issued to affected customers, and officially filed with the US attorney general as per requirements, T-Mobile stated that an unknown hacker obtained access to its customers’ account details, such as personal identification numbers and other personally identifiable information (PII).

Due to the method of attack, where hackers were able to successfully port numbers, it cannot be clearly determined if they obtained access to a member of staff’s account or managed the attack via one of the user accounts compromised during the attack.

The T-Mobile notice issued to impacted data subjects read:

“An unknown actor gained access to certain account information. It appears the actor may then have used this information to port your line to a different carrier without your authorisation. T-Mobile identified this activity—terminated the unauthorised access and implemented measures to protect against reoccurrence.”

The data accessed by the attackers may potentially have included a wealth of PII like customers’ names, street and email addresses, financial account numbers, personal identification numbers, social security numbers, dates of birth, account security questions/answers, account plan information, and how many different phone lines a user is subscribed to.

Affected T-Mobile customers have been advised to alter their account’s PINs and passwords, along with both their security question and unique answer.

The telecoms provider commented:

“T-Mobile quickly identified and terminated the unauthorised activity; however, we do recommend that you change your customer account PIN.”

By way of compensation, T-Mobile is giving data subjects involved in the breach two years’ professional credit monitoring free of charge, along with detection services for identity theft via myTrueIdentity.

This is the fifth time T-Mobile has disclosed a data breach within the last four year, all of them involving reports of attackers gaining access to customer data. The telecom announced leaks in 2018, 2019 and twice in 2020.

What is a SIM swap attack?

SIM hijacking, also referred to as SIM swap fraud, enables threat operators to assume control of victims’ phone numbers after successfully porting them via social engineering strategies, or criminally bribing employees of mobile operators, effectively redirecting services to a SIM in their control.

After this stage is complete, the scammers will receive all of their chosen target’s phone calls and text messages. This empowers them to intercept any multifactor authentication method verification messages being transmitted via SMS. Once they are in possession of the code and other credentials, they can successfully hack into their victims’ online accounts.

Once inside, the malicious operators can commit multiple criminal acts including stealing funds from bank accounts, making online purchases and using available credit. With access to accounts and multi-factor authentication, they can gain administrative privileges that also allow them to alter passwords and lock targets out of their own personal accounts.