After some of the stolen information landed up for sale on the dark web, the New York State Office of the Attorney General (NY OAG) alerted victims of the T-Mobile data breach in August 2021 that they risked identity theft risks. Identity theft protection services told individuals impacted by the event that their information had been discovered online, indicating that affected customers are now at a higher risk of identity theft.
“Information stolen in a massive data breach has fallen into the wrong hands and is circulating on the dark web,” said New York Attorney General Letitia James. “The guidance offered by my office can help prevent identity theft. I advise all New Yorkers to maintain their financial safety by following the guidance my office has laid out.”
According to the NY OAG’s guidelines, consumers at risk should use credit monitoring services to be warned within 24 hours when significant changes are made, such as major purchases or newly established accounts. They could also consider putting a free credit freeze on their credit reports (through Equifax, Experian, or TransUnion) to prevent identity thieves from exploiting stolen personal information to create new credit accounts. Finally, impacted people may set fraud warnings on their credit reports, instructing creditors and lenders to take extra efforts to verify their identity before giving credit.
After a threat actor claimed on a hacker site that he was selling a database containing the personal information of nearly 100 million T-Mobile users, information about the August breach appeared. The breach was verified by the US mobile provider, which subsequently stated that the attacker obtained data from 54.6 million current, past, or prospective customers.
Social Security numbers, phone numbers, names, residences, dates of birth, T-Mobile prepaid PINs, and driving license/ID information were among the data taken in the incident. As per T-Mobile, the attacker did not take any customer financial information, credit card information, debit card information, or other payment information during the incident.
T-Mobile CEO Mike Sievert claimed at the time that the business had shut down the access points used to brute-force their way into the carrier’s network and promised consumers that “there is no ongoing risk to customer data from this breach.” Identity theft accounts for over a quarter of the nearly 5.7 million consumer complaints lodged with the FTC last year (about 1.4 million).