T-Mobile USA Inc. has suffered another data breach, its fourth since 2018, resulting in the theft of some information relating to customer accounts.

Described by the company as a “security incident,” the hack is said to have involved “malicious, unauthorized access” to some information related to T-Mobile accounts.

The information stolen is described as “customer propriety network information” that may include phone number, number of lines subscribed and in some cases, call-related information. T-Mobile did note that the data did not include names, physical or email addresses, financial data, credit card information, Social Security numbers, tax identification numbers, passwords or PINs.

There’s the usual tick-box response as to how it’s dealing with the incident, including starting an investigation, employing third-party cybersecurity forensics experts to determine what happened and informing law enforcement. Individual customers who have been affected will also be contacted directly.

A spokesperson for T-Mobile told Fox Business that the hack occurred in early December and affected fewer than 0.2% of the company’s customers.

Previous hacks involving T-Mobile include the theft of the details of 2 million customers in August 2018, a hack involving the theft of prepaid customer data in November 2019 and, for the hat trick, the theft of employee and customer data in March.

“The volume of attacks and successful attacks against wireless carriers continues to rise,” Brandon Hoffman, chief information security officer at IT service management company Netenrich Inc., told SiliconANGLE. “In this particular case, one has to wonder if it is related to the merging of two titans. Sprint had a series of issues last year and this is another in a list of successful attacks on T-Mobile.”

Hoffman said there’s an opportunity here to review the foundations of cybersecurity relative to the merged entity and find out where quick wins can be had to shore up defenses. “With the volume of successful attacks that we are seeing, either they are suffering from consistent advanced persistent threats or there is something easily exploited that is being overlooked,” he said.

Hank Schless, senior manager for security solutions at mobile security solutions provider Lookout Inc., noted that although it appears that the attackers weren’t able to collect any highly sensitive personal data of T-Mobile customers, there is still risk posed to those whose phone numbers were stolen in the breach.

“An area code is all an attacker needs to carry out a socially engineered mobile phishing attack,” Schless explained. “Lookout discovered a mobile phishing campaign in February 2020 that associated area codes with popular banks in the area to try to phish mobile banking login credentials.”

He added that the attacker can pretend to be T-Mobile support over voice or text in order to get customers to share their login credentials. “Since customers know there was a recent security incident, they may not think twice before engaging with an individual who claims they can help,” he said. “If this were successful and the attacker made their way into the customer’s account, they could have access to sensitive information associated with the account.”

Photo: T-Mobile