After claims surfaced over the weekend of a massive customer data breach, T-Mobile on Monday afternoon confirmed that “unauthorized access to some T-Mobile data occurred” but hasn’t determined if personal customer data was involved and the carrier continues to investigate.
Vice’s Motherboard first reported claims stemming from an underground online forum posting that purported to be selling some of the information, with the hacker telling the technology news outlet that data obtained was for over 100 million people and came from T-Mobile servers.
T-Mobile said earlier today it was actively investigating if the claims were legitimate.
The update posted to T-Mobile’s website this evening said the carrier is confident the entry point used to gain access had been closed. Still, until the investigation is complete, T-Mobile said it can’t confirm the scale of how many records were obtained or validity of claims made.
Motherboard reported that information included social security numbers, phone numbers, names, physical addresses, unique IMEI numbers and driver licenses. It also said Motherboard viewed samples of the data and confirmed there was accurate information about T-Mobile customers.
Below is the full update from T-Mobile:
“We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed. We take the protection of our customers very seriously and we are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement.
We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed. This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.
We understand that customers will have questions and concerns, and resolving those is critically important to us. Once we have a more complete and verified understanding of what occurred, we will proactively communicate with our customers and other stakeholders.”