T-Mobile is reporting that hackers pilfered social security and driver’s license numbers, and other personal information, from more than 40 million current and prospective customers. According to the Wall Street Journal, the stolen data is already being auctioned on the dark web —with prices for some data sets ranging far into the tens of thousands of dollars. This type of personal information can be used to commit SIM swapping, a form of identity theft in which a hacker—after accessing a victim’s personal information—uses social engineering techniques to convince the mobile carrier to port that victim’s phone number to the hacker’s SIM. Once this happens, the hacker can attempt to reset the victim’s login credentials and receive one-time passwords sent to the victim’s mobile phone number, thereby circumventing many two-factor authentication methods. SIM swapping thus enables cybercriminals to access any account tied to the victim’s phone number. T-Mobile has set up an online portal to provide information to potential victims and has reportedly reset account PINs for accounts that may have been compromised.
Nixon Peabody’s Cybersecurity & Privacy Team will continue to monitor developments relating to this breach.