Welcome to the Identity Theft Resource Center’s Weekly Breach Breakdown for August 20th, 2021. Each week we look at the most recent events and trends related to data security and privacy. Today we’re going to talk about what is one of the most significant data breaches so far this year, T-Mobile, and what you should do in response even if you are not impacted by it.

Show Notes

Our podcast today is possible thanks to support from Experian and Abine. Make sure to subscribe for future podcast episodes!

Follow on LinkedIn

Follow on Twitter

Show Transcript

Facts Are Stubborn, But Statistics Are Pliable 

Welcome to the Identity Theft Resource Center’s (ITRC)Weekly Breach Breakdownfor August 20, 2021. Our podcast is possible thanks to support from Abine and Experian. Each week we look at the most recent events and trends related to data security and privacy. This week, we talk about the T-Mobile data compromise, which is one of the most significant data breaches so far this year. We also talk about what you should do in response, even if you are not impacted by it. 

Mark Twain once wrote that “Facts are stubborn things, but statistics are pliable.” Apply that same principle to data breaches and you get the natural pattern that emerges when personal information is suddenly stolen or exposed by a cybercriminal. The typical response goes something like this:  

“We don’t have any evidence there has been a breach, but we will investigate.” 

Followed by “We have investigated and found that a small number of customers information has been compromised, but we do not believe any sensitive or personal data is at risk.” 

That statement is often followed by an update that sounds like this: “We have now determined that more than X million of our valued customers are directly impacted by unauthorized access by cybercriminals of our systems, and the data involved does include Social Security numbers (SSNs) and other personal information.”  

T-Mobile Suffers its Second Data Breach Since February 2021 

We don’t “name and shame” companies at the ITRC. Cyberattacks and data breaches are an unfortunate consequence of our digital society. It’s only logical that the more you investigate, the more you know, meaning numbers change. We have laws, regulations and courts to handle the blame game. We do, though, use anecdotes to help educate consumers and businesses on how to protect themselves.  

What Happened? 

This week, T-Mobile finds itself in the unenviable position of providing a teaching moment thanks to its third data breach since December 2020 and its second data breach since February 2021. The nation’s third-largest mobile telecom provider did not know it had been breached until a cybercriminal posted customer information stolen from T-Mobile in an identity marketplace used by identity thieves. 

Cybersecurity researchers claim as many as 100 million current, past and prospective customers may be impacted by the T-Mobile data compromise. T-Mobile has confirmed the personal information of 47 million people has been compromised, including customers’ first and last names, dates of birth, SSNs and driver’s license/identity information in some instances. 

T-Mobile customers can visit the carrier’s website t-mobile.com to learn more about the company’s actions to help victims of the breach. 

What Should You Do to Protect Yourself After the T-Mobile Data Compromise? 

What should you do if you are a T-Mobile customer? Actually, it doesn’t matter if you are a T-Mobile customer or not. Here are some actions that everyone should take to help protect their personal information today and after a data breach:  

  1. Do not ignore data breach notices. There are a lot of them. However, there are usually important action steps in the notices, like how to activate free identity protection services. 
  2. Freeze your credit. Credit monitoring is helpful, but it offers no protection. It tells you what happened, but it doesn’t stop anything from happening. To protect yourself, freeze your credit. It’s free, easy and doesn’t impact your credit. 
  3. Change your passwords and PIN numbers to make sure you do not use the same passwords or PINs on more than one account. Make sure the password is long, at least 12 characters, and is something you can remember. You can also use a password manager to generate and keep track of your credentials. Cybercriminals love it when we reuse passwords on more than one account. 
  4. Use multi-factor authentication (MFA or 2FA) on all your accounts that offer it. If possible, use an authentication app rather than have a code sent by text to your phone. Authentication apps are available for free from Microsoft, Google and other software providers. 
  5. If you are a business, make sure you don’t collect more personal information than you need. Don’t keep it longer than you need to complete the transaction. Also, keep what data you do collect and maintain safe and secure by encrypting it. Make sure you offer MFA for your customers’ and prospects’ protection, too. 

Contact the ITRC 

You can always call us at the ITRC if you have questions about what you should do if you receive a data breach notice or hear about a breach in the media, like the T-Mobile data compromise. Just visit www.idtheftcenter.org, where you’ll find helpful tips. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST).  

Thanks again to Experian and Abine for supporting the ITRC and this podcast. We’ll be back next week with another episode of the Weekly Breach Breakdown.