The fallout from T-Mobile’s massive data breach last month is just getting started. However, given the vast amount of information stolen, the sensitivity of that information, and the number of impacted accounts, it’s going to be big. Very big.
If you are (or were) a T-Mobile customer, you need to take a few simple actions right now to avoid months or years of headaches caused by identity or online account theft.
T-Mobile’s Breach (Refresher)
I wrote a little bit about this in last month’s security round-up.
The short version is that last month T-Mobile had an intrusion in their internal network, and the attacker managed to escape with information on millions of customers – both past, present, and prospective.
The long version certainly casts a negative eye on T-Mobile’s security:
- The intrusion was carried out by a single person – a 21-year old US citizen.
- The intrusion began with a single vulnerable router. That allowed the attacker to access T-Mobile’s internal network (more than 100 servers). Once within the network, there was no real security to prevent an unauthorized user from moving around.
- The data that the attacker stole (incredibily sensitive user data for millions of accounts) was not encrypted on T-Mobile’s servers. Additionally, there was a lot of data that T-Mobile didn’t need to keep. For example, from prospective customers from over 10 years ago.
- T-Mobile didn’t actually know that anyone was inside their network until they were notified by a 3rd party that found the customer info for sale on the dark web. There was no network intrusion monitoring or detection.
- All these missteps by T-Mobile are made exponentially worse when you realize that this is the 4th data breach to hit T-Mobile since 2015. It seems like they have taken zero steps to secure customer data in the past five years.
What You Need To Do
Since T-Mobile is apparently too incompetent to secure your account data, that means you have to act – and act fast.
Your priority needs to be to secure as many of your vulnerable accounts as possible.
Change Your PIN!
In addition to the “usual” personal information (name, address, SSN, birthday, etc) that was accessed in this breach, one of the more troubling pieces of data was account PIN numbers.
Consider what information you need to provide to change your cell service or transfer service from one phone SIM card to another. All this information – minus the PIN – is easily accessible. Either from the data in this T-Mobile breach or from one of the dozens of major data breaches that have happened in the past decade.
That means that the security of your cell phone number (something that may be used as a two-factor authentication token) comes down to your PIN.
With all that pressure, make sure to choose your PIN carefully. Do not use your (or someone else’s) birthday, street address, ZIP code, SSN, or any other easily guessed number
If you were using your T-Mobile PIN in other places (debit card, etc.) make sure to change it there, too.
Remember that most account recovery processes will send you an SMS message to your cell phone or an email. If someone really wants to take over your online identity, they will likely start with transferring your cell phone number to a handset they control. Once they’ve done that, all the account recovery SMS messages will go to them, and you’ve got very little recourse.
Freeze Your Credit
One of the most common things that happen with a breach of this magnitude is identity theft. Malicous actors will use the information in this breach to open up bank accounts, credit cards, loans, and other accounts that require a credit check. The easiest way to prevent someone from using your stolen identity in this way is to make sure that you freeze your credit. Thankfully, that’s relatively easy to do online. All the major credit bureaus allow you to freeze and unfreeze your credit for no charge.
I try to keep my credit frozen at all times – if you are applying for a loan or credit card you can temporarily unfreeze it – but if it is frozen, it’s much harder for anyone to open up a credit card or other account in your name. Here are the four (notice there’s a new one) places to freeze your credit.
All these links should take you directly to the page where you can sign up for a credit freeze.
- Innovis – this is a relatively new one. Make sure you freeze your credit here, too.
Remember that a credit freeze is different than a credit lock. Credit bureaus are trying to upsell you on a variety of services, but doing a credit freeze is 100% free. If you find yourself on a page that discusses a monthly fee or service, don’t pay it! Make sure you get the free credit freeze.
Remember to take action on these two items as soon as possible! While it is a minor inconvenience now, getting your online security sorted out ahead of time is much better than trying to recover from major identity theft!