The news about T-Mobile’s latest data breach is only getting worse, as the company announced new details from its investigation. While someone in possession of the leaked data said they had obtained information for as many as 100 million customers, including driver’s license info, IMEI numbers, and more, T-Mobile’s first statement put the figure at 47 million or so and did not mention the IMEI / IMSI data.
Now, T-Mobile has confirmed that for the 7.8 million on-contract, or postpaid, customers it already counted in the breach, data stolen includes the information mentioned Thursday (first and last names, dates of birth, Social Security numbers, and driver’s license / ID numbers), as well as phone numbers and IMEI / IMSI information. IMEI stands for International Mobile Equipment Identity and is a number that’s assigned to every mobile device.
IMSI stands for International Mobile Subscriber Identity and is the identifier for the SIM card to which your mobile phone number is tied. That kind of data could be used to track mobile devices or assist in SIM swapping attacks where someone hijacks your phone number to intercept two-factor authentication codes or other information.
Additionally, 5.3 million more postpaid customers have also been identified as part of the breach, but without revealing their driver’s license / ID or Social Security numbers. The same goes for an additional 667,000 accounts of former T-Mobile subscribers that are being added to the total. Former Sprint prepaid and Boost Mobile customers are still in the clear, however, 52,000 names tied to Metro by T-Mobile accounts were stolen.
An unspecified number of files contained “phone numbers, IMEI, and IMSI numbers.” According to T-Mobile that did not include any personally identifiable information, which is a questionable claim since it could be easy to tie someone’s identity to their phone number based on other leaked data or simply browsing publicly available listings.
The FCC already announced it’s investigating the incident, and at least one class-action lawsuit has been filed against T-Mobile, calling its response and promised two years of identity protection services “inadequate.” The investigation is still ongoing, but T-Mobile customers (current, former, or just prospective ones who filled out an application) can go here for more information.