Consumer Alert Reissued Following Wireless Company Data Breach

The company shared two additional updates Friday: 

• “We previously reported information from approximately 7.8 million current T-Mobile postpaid customer accounts that included first and last names, date of birth, SSN [social security number], and driver’s license/ID information was compromised. We have now also determined that phone numbers, as well as IMEI [international mobile equipment identity] and IMSI [international mobile subscriber identifier] information, the typical identifier numbers associated with a mobile phone, were also compromised. Additionally, we have since identified another 5.3 million current postpaid customer accounts that had one or more associated customer names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. These additional accounts did not have any SSNs or driver’s license/ID information compromised. 
• “We also previously reported that data files with information from about 40 million former or prospective T-Mobile customers, including first and last names, date of birth, SSN, and driver’s license/ID information, were compromised. We have since identified an additional 667,000 accounts of former T- Mobile customers that were accessed with customer names, phone numbers, addresses and dates of birth compromised. These additional accounts did not have any SSNs or driver’s license/ID information compromised.” 

Experts warn securing IMEIs and IMSIs pose a greater threat of bad actors accessing a customer’s bank account via the app on the user’s phone. 

T-Mobile has said the company will be contacting affected customers directly.  

“My Corporate Oversight Division is closely monitoring this developing situation and working to gather more information on the cause, impact to Michigan customers, and response,” Nessel said. “Unfortunately, this widespread data breach is an example of the lengths hackers will go to steal personal data that can then be sold to bad actors looking to commit fraud.” 

Nessel’s Data Breaches: What To Do Next Consumer Alert provides important information on how to respond if you think your personal information was compromised, as well as advice on protecting your identity.  

Consumers have the right to order a free credit report from each of the three major credit reporting companies every year through the following: 

• by mail—complete the annual credit report request form and send to the listed address; 
• by telephone—call 877-322-8228 (toll free); or 
• online—annualcreditreport.com, is the only truly free credit report website.  
  • Beware: Misspelling this site or using another site with similar words will take you to a site that will try to sell you something or collect your personal information. 

However, during the pandemic, everyone in the U.S. can get a free credit report each week from all three national credit bureaus (Equifax, Experian, and Transunion).  Additionally, everyone in the U.S. can get six free credit reports per year through 2026 by visiting the Equifax website or by calling 866-349-5191.   

Other ways to respond to a data breach explained in the alert include: 

1. Put a fraud alert on your credit file: A fraud alert is a free alert, or flag, that is placed on your credit file when you notify a credit reporting agency that your information may have been compromised. This alert will make it more difficult for anyone to open an account in your name. 
2. Consider a security freeze on your credit file: A security freeze or credit freeze is something you request from a credit reporting agency to restrict access to your credit report. This makes it more difficult for identity thieves to open new accounts in your name because most creditors will demand to see your credit report before they approve new credit. If a creditor cannot see your file, then the creditor should not extend the credit. A credit freeze does not prevent all third parties from seeing your report.  
3. Credit monitoring: Credit monitoring is a service that tracks your credit report and alerts you whenever a change is made. This gives you the opportunity to confirm the accuracy of the change and, if needed, contest any inaccuracy. The specifics of any service will depend on the provider; however, most advertise they will notify you within 24 hours of any change to your credit report. 
4. Take advantage of any free services being offered as a result of the breach: Take advantage of any unconditional and free subscriptions to any credit monitoring, fraud resolution, or other service designed to protect and help you. Before you accept a free subscription offered to you as a result of a security breach, carefully consider any conditions placed on your acceptance of this subscription. For example, will you be charged after a short free period, or will you only get the free subscription if you give up your right to additional legal redress? 
5. Use two-factor authentication: For accounts that support it, two-factor authentication requires both your password and an additional piece of information to log in to your account. The second piece could be a code sent to your phone, or a random number generated by an app or a token (a physical object in user’s possession). This protects your account even if your password is compromised. 

T-Mobile set up a web page in response to the data breach where customers can go for additional information. 

Your connection to consumer protection is just a click or phone call away. The Department provides a library of resources for consumers to review anytime online on a variety of topics. Nessel’s Consumer Alerts, which cover a wide range of topics, can also be reviewed on the Department’s website.