T-Mobile denies rumors of a breach affecting employee data

T-Mobile said rumors of a breach affecting their employees’ data are inaccurate, attributing a leak to an April attack on an independent retailer.

On Thursday evening, researchers for the malware repository vx-underground said they had been contacted by hackers going by the names "Doubl" and "Emo" about a breach that occurred in April – right after a T-Mobile breach that took place in March 2023.

The 90 gigabytes of stolen employee data were being shared on criminal forums and spread throughout Telegram and Discord, according to vx-underground. The researchers shared censored screenshots of samples from the stolen data, writing that “information from the leak is very large and we would not be able to sufficiently detail everything leaked in text because it is multiple databases.”

A T-Mobile spokesperson told Recorded Future News that no breach of their company systems had occurred in April.

“There has not been a T-Mobile data breach,” the company said.

“The data being referred to online is believed to be related to an independently owned authorized retailer from their incident earlier this year. T-Mobile employee data was not exposed.”

A post on the cybercrime marketplace BreachForums attributes the breach to an April cyberattack on Connectivity Source, an independently-owned dealer that uses T-Mobile branding and sells wireless handsets, connected watches and tablets. The company did not respond to requests for comment.

The stolen information, purportedly from Connectivity Source, ranged from employee IDs, dates of hiring and firing, employee login information, Social Security numbers, as well as service account details for employees.

The issue caps a difficult week for T-Mobile after hundreds of customers took to social media to complain that they could see the information of other customers on their accounts — including personal data like current credit balances, purchase history, credit card information, and home addresses.

T-Mobile eventually told The Verge that the issue was not related to a security event but instead was a “temporary system glitch related to a planned overnight technology update involving limited account information for fewer than 100 customers, which was quickly resolved.”

One of the three largest telecommunications companies in the U.S., T-Mobile dealt with several large data breaches over the last three years.

Last year, the company agreed to pay $350 million to a group of victims and commit $150 million extra to security upgrades to settle a class-action lawsuit brought in the wake of a 2021 hack of sensitive customer data.

Noted extortion group Lapsus$ also gained access to the company’s systems last year. In August, the company was involved in a breach affecting bankrupt cryptocurrency platforms FTX and BlockFi.

The Federal Communications Commission voted unanimously to investigate potential changes to the breach notification rules for telecommunications companies in January, with FCC Chairwoman Jessica Rosenworcel arguing that the rules the agency created more than 15 years ago are no longer compatible with a modern world where telecommunication carriers have access to a “treasure trove of data about who we are, where we have traveled, and who we have talked to.”

In a 40-page proposal document, the FCC explained that there have been multiple breaches affecting the country’s largest telecommunications companies: Verizon, T-Mobile and AT&T.

“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” Rosenworcel said.