T-Mobile USA has provided clarification on a recent data breach notification, stating that it was triggered by an insider incident with a very limited impact.
A notice submitted to the Maine Attorney General’s Office this week informs its recipient that T-Mobile recently detected unauthorized access to limited information from their T-Mobile account.
Exposed information included full name, email address, physical address, account number and associated phone number, T-Mobile account PIN, date of birth, driver’s license number, and SSN.
The company said personal financial account information and call records were not impacted, and the affected user’s T-Mobile account PIN has been reset as a precaution.
The data breach notification sent to the Maine AGO indicates that only ‘1’ individual was impacted, but companies occasionally use ‘1’ as a placeholder when the total number of affected individuals has yet to be determined.
In addition, the description in the notice may be interpreted as a mass credential-stuffing attack targeting T-Mobile accounts. In credential-stuffing attacks, threat actors use credentials compromised in other breaches to target accounts protected by the same username-password combination.
However, T-Mobile told SecurityWeek that indeed only one account was impacted by the incident.
“We identified an isolated incident involving a single vendor employee who improperly accessed information related to a customer. No credentials were compromised,” a T-Mobile spokesperson said.
“We have notified relevant authorities in accordance with applicable reporting requirements. We have also notified law enforcement and contacted the affected customer directly,” the spokesperson added.
T-Mobile disclosed several significant data breaches in the past years, including one affecting 37 million accounts.
Related: Toy Giant Hasbro Hit by Cyberattack
Related: Lloyds Data Security Incident Impacts 450,000 Individuals
Related: 250,000 Affected by Data Breach at Nacogdoches Memorial Hospital
