Wireless service provider T-Mobile USA confirmed reports that hackers succeeded in gaining unauthorized access to some of its data, but said it was too early to tell whether that involved any “personal customer data.”
The provider’s statement on the data hack follows reporting earlier this week that hackers were offering stolen T-Mobile customer data for sale.
“We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed,” the carrier said on August 16. The company said it “determined that unauthorized access to some T-Mobile data occurred,” but has not yet found out whether the hack touched any personal customer data.
“We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” T-Mobile said.
“We take the protection of our customers very seriously and we are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement,” the company said.
T-Mobile said its investigation “will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.”
Separately, Neil Jones, cybersecurity evangelist at Egnyte, commented, “Although the technical details of this potential attack are still being researched, this is a classic example of the need for organizations to partition data, and store highly sensitive information such as driver’s license, IMEI, and social security numbers separately from primary identification information such as names, addresses, and phone numbers.”
“The easier it is for a potential attacker to ‘mine’ a company’s data, the more likely they’re able to generate financial gain on the dark web,” Jones added. “This is also a stark reminder that highly-sensitive data should always be categorized by your users’ ‘business need to know,’ to prevent potential internal threats.”