2 million names, phone numbers, account information leaked in T-Mobile data breach

U.S. wireless carrier T-Mobile has revealed that 2 million of its customers, including some with metroPCS, were victims of a data breach that exposed names, billing zip codes, phone numbers, email addresses, and even their account type.

Note: e-End provides secure data destruction of hard drives and electronic media to help prevent a data breach of old IT equipment. See how here.

No financial information, Social Security numbers or passwords were exposed in the breach, the company said. All affected customers have been notified.

Notably, the breach occurred on Aug. 20, and the carrier announced the incident less than a week later, showing quick transparency. Data breach reporting timelines have been a crucial element of regulations regarding regulation of personally identifiable information — including Europe’s General Data Protection Regulation, which gives organizations just 72 hours to report to the relevant regulator.

Affected customers with questions can contact T-Mobile about the breach by dialing 611 on their mobile phone. The company has also noted that it is wise to change passwords regularly, even though none were believed to have been exposed in the hack.

With 75 million customers, the breach affected less than 5 percent of T-Mobile’s subscriber base.

Citing a spokesperson at the carrier, Threatpost reported that the breach occurred after hackers took advantage of a faulty API on an undisclosed part of its website. The attacks originated from IP addresses outside of the U.S.

Woman buys security system that contained photos of previous customer

Lynne Chick bought the four-camera system from online retailer Very, but got a surprise when she turned it on

A woman who bought a "new" security system online was shocked to find it contained someone else’s CCTV pictures and videos. Lynne Chick, 45, from Hawarden, bought a Swann four-camera security system from online retailer Very.


She arranged for the £250 system to be installed at a cost of £300 but, when it was switched on, the installation engineer said it could be accessed externally because someone else’s email account had been used to access the unit’s hard drive, which stores pictures and video.

Ms Chick called Very, who advised her to send the whole package back but, as it had been installed, she would have had to pay for re-installation again.

Her partner called the manufacturers of the system, and they said she should "format" (wipe the information off) the hard drive.

Ms Chick said: “Swann gave us the password to get on to the system. There were photographs on there from January this year with car registration plates clearly visible and a family walking around in their garden.

“There were also photographs from October 2017. It could be a massive breach of data protection.”

 Lynne Chick said her security system came with someone else's photographs on it

Lynne Chick said her security system came with someone else's photographs on it

Ms Chick said that Swann had promised to investigate and were replacing the used unit, but she wanted people to be aware of the dangers of leaving data on hard drives that store personal information.

She added: “I’m concerned they are sending out equipment that has been used and has someone else’s details on it.

“Luckily I am an honest person but it could have been seen by a criminal - not to mention charging full whack for something that is used.”

A spokeswoman for the company confirmed they launched an immediate investigation and sent a brand new replacement for the Digital Video Recording (DVR) unit to Ms Chick.

She said: “From initial investigations, it appears that the unit was distributed as a new product to the retailer, however the product had been misclassified and was a previously used product that should have been sent to our refurbishment department whose process includes the deletion of any data that may have been left by the customer.

 The Swann system bought by Lynne Chick

The Swann system bought by Lynne Chick

“The product classification error occurred as our distribution centre passed this unit back into A Grade stock believing that it was an unopened return.

“We have discussed the cause of this issue with our distribution partner and have put in place additional measures that will result in every returned item being factory reset to ensure all stored data is deleted.

“We are fully aware of our obligations under GDPR and take this very seriously, and accordingly we have reported the issue to the Information Commissioner’s Office.”