Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here
CLOSE ×

Search

Leaving AARP.org Website

You are now leaving AARP.org and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

T-Mobile Data Breach Is Reminder to Practice Your Own Cybersecurity

Personal information, up for sale on ‘dark web,’ fuels financial fraud

spinner image menacing guy hiding his identity pushed a shopping cart full of stolen identities
John Ritter

Customer data from 37 million T-Mobile accounts was stolen late last year, the company disclosed Jan. 19.

While no Social Security numbers or financial account information was taken, customer names, account numbers, billing addresses, birth dates, emails, phone numbers and information such as the number of accounts and service plan features were stolen, according to the company, among the three largest U.S. wireless carriers. The breach potentially affects roughly a third of T-Mobile’s customer base.

In a filing with the federal Securities and Exchange Commission, T-Mobile wrote that it “promptly commenced an investigation with external cybersecurity experts, and within a day of learning of the malicious activity, we were able to trace the source ... and stop it.” The company said it believes the hacker first accessed the data trove on or around Nov. 25.

spinner image Image Alt Attribute

AARP Membership— $12 for your first year when you sign up for Automatic Renewal

Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP the Magazine.

Join Now

“The malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” said T-Mobile, adding that its investigation is continuing.

But while T-Mobile is not the only company, cellular or otherwise, to experience massive data spills in recent years, this latest rupture was its second major security leak in less than 24 months. In August 2021, T-Mobile revealed that hackers stole personal data on more than 40 million U.S. customers, a figure subsequently revised upward to nearly 77 million.

spinner image people walk in front of a t-mobile store front
Hackers stole information on 37 million T-Mobile customers, about a third of its accounts, the wireless carrier said Jan. 19, 2023.
Justin Sullivan / Getty Images

Why a data breach matters

Information powers the fraud industry. Without names, credit card info, email addresses, passwords, Social Security numbers or other personal data, a scammer cannot reach you or pretend to be you. 

And so a massive illegal, international underground economy has emerged to serve the needs of scammers. The wares? More than 15 billion pieces of stolen personal data, according to law enforcement and cybersecurity experts with the firm Digital Shadows. That sounds like a lot of data, but it isn’t.

The average person logs in to nearly 200 sites that require passwords or other information, Digital Shadows estimates. Sitting in your computer are endless amounts of personal data that may be useful to a scammer. And so another illegal industry is constantly at work: data stealing.

See more Health & Wellness offers >

A near record 1,802 publicly reported breaches of large-organization customer databases occurred in 2022, according to the Identity Theft Resource Center. Most of that data ends up in this dark web marketplace, being bought and sold.

If this info marketplace were an actual mall, the people you’d find there primarily would be hackers who steal the information and sell it in bulk, malicious code writers who help those hackers gain access to your computer by infecting it with malware, and vendors who buy the stolen data, repackage it and sell it to the “end users” — the people actually trying to ensnare you in a scam.

“While no information was obtained for impacted customers that would compromise the safety of customer accounts or finances, we want to be transparent with our customers and ensure they are aware,” T-Mobile wrote in a statement. “No passwords, payment card information, Social Security numbers, government ID numbers or other financial account information were compromised.”

Even if that’s so, risks remain. On his KrebsOnSecurity blog, cybersecurity expert Brian Krebs wrote: “There are currently no signs that hackers are selling this data haul from T-Mobile. But if the past is any teacher, much of it will wind up posted online soon. It is a safe bet that scammers will use some of this information to target T-Mobile users with phishing messages, account takeovers and harassment.”

How much is your personal identifiable information (PII) worth to scam artists? While many people think a nine-digit Social Security number is their most valuable identifier, “it’s actually worth about $2,” says James E. Lee, chief operating officer of the nonprofit Identity Theft Resource Center in San Diego.

spinner image membership-card-w-shadow-192x134

Join today and enjoy all AARP has to offer — including the AARP Job Board, a job search tool for experienced workers, a free resume review, plus savings on resume writing packages and online learning courses to boost your skills.

If a Social Security number comes with a name and date of birth, it’s $4 or $5, or about “the cost of a caramel macchiato,” Krebs says. 

A person’s credit card information is worth more, about $25 to $35, Lee says. A hacked Facebook account can bring $65, and a selfie photo with a U.S. driver’s license, $100.

Who’s buying this information?

“There are hundreds of thousands of serious ‘threat actors’ throughout the world,” says Robert Villanueva, a retired U.S. Secret Service supervisor who’s now executive vice president of Q6 Cyber in Hollywood, Florida.

Shopping & Groceries

Coupons for Local Stores

Save on clothing, gifts, beauty and other everyday shopping needs

See more Shopping & Groceries offers >

This personal data is sold in digital “shops” on the dark web, as well as in more exclusive online “forums” accessible to more sophisticated cybercriminals, Villanueva says. 

Malware, or malicious software, is critical to their crimes — because if a computer is compromised with what’s called a keylogger, every letter a person types is revealed to the bad guys, who can grab banking and email credentials and take over these accounts.

Your smartphone is also targeted. “Threat actors are really going after people’s phone numbers to hijack their digital lives, because that’s the weakest link,” Krebs says.

6 ways to stay safe

1. Set up your digital accounts to require multifactor authentication.

2. Freeze your credit card at the three major credit bureaus. Do the same for your dependents’ credit. That helps prevent a scammer with your info from making any major transaction in your name or the name of a dependent. “It’s really the only thing that gives the consumer some amount of control over their identify, when everything else around them is getting breached and stolen,” security expert Brian Krebs says.

3. Don’t save credit card numbers online with merchants or service providers.

4. Activate biometric locks — facial recognition or fingerprints — on your mobile device to safeguard data, should the device be lost or stolen.

5. Use antivirus software and perform recommended cybersecurity updates on your devices.

6. Because your phone number increasingly is being used to identify you, remove it from as many online accounts as possible. You may need to use your number to open some accounts, but go back and remove it later.

This story, originally published April 1, 2022, has been updated to reflect a major T-Mobile data breach.

6 ways to stay safe

1. Set up your digital accounts to require multifactor authentication.

2. Freeze your credit card at the three major credit bureaus. Do the same for your dependents’ credit. That helps prevent a scammer with your info from making any major transaction in your name or the name of a dependent. “It’s really the only thing that gives the consumer some amount of control over their identify, when everything else around them is getting breached and stolen,” security expert Brian Krebs says.

3. Don’t save credit card numbers online with merchants or service providers.

4. Activate biometric locks — facial recognition or fingerprints — on your mobile device to safeguard data, should the device be lost or stolen.

5. Use antivirus software and perform recommended cybersecurity updates on your devices.

6. Because your phone number increasingly is being used to identify you, remove it from as many online accounts as possible. You may need to use your number to open some accounts, but go back and remove it later.

Katherine Skiba is a contributing editor who covers scams and fraud for AARP. Previously she was a reporter with the Chicago Tribune, U.S. News & World Report and the Milwaukee Journal Sentinel. She was a recipient of Harvard University’s Nieman Fellowship and is the author of the book Sister in the Band of Brothers: Embedded With the 101st Airborne in Iraq.

 

Edward C. Baig is a contributing writer who covers technology and other consumer topics. He previously worked for USA Today, BusinessWeek, U.S. News & World Report and Fortune, and is author of Macs for Dummies and coauthor of iPhone for Dummies and iPad for Dummies.

Discover AARP Members Only Access

Join AARP to Continue

Already a Member?