The claim was first discovered and reported by Vice News. Researchers came across a hacker on an online forum asking for Bitcoin in exchange for Social Security numbers.
Though T-Mobile isn’t mentioned in the forum for sale post, the hacker told Vice that the data was a subset of 100 million records that had been taken from T-Mobile servers.
The hacker alleged that the company misconfigured a gateway GPRS support node used for testing, exposing it to the internet and allowing the attacker to eventually pivot to the LAN.
It is alleged that the stolen information includes customers’ phone numbers, names, physical addresses, Social Security numbers, and driver licenses.
The hacker said that the rest of the data, which isn’t being offered for sale on the forum, is being sold privately.
In a statement to Reuters, T-Mobile said: “We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time.”
Sharon Besser, SVP of Guardicore, said that if the data breach does prove to be genuine, it shows how important it is to properly segment internal environments to limit attackers’ ability to access ‘crown jewel’ data.
“Repeated instances like this highlight the fact that organizations still struggle with reducing the attack surface and limiting lateral movement once a trusted network has been compromised,” she said.
Jack Chapman, VP of Threat Intelligence at Egress, said the data breach “could be one of the most serious leaks of consumers’ sensitive information we’ve seen so far this year” due to the number of potential victims.
“The data leaked in this breach is reported as being already accessible to cyber-criminals, who could now weaponize it to formulate sophisticated phishing attacks targeting the victims,” said Chapman. “Follow-up attacks may utilize the information accessed through this data breach to trick people into sharing more personal data that can be used for identity and financial fraud.”