Data Breach Exposes Consumers of T-Mobile to SIM Swapping Attacks


T-Mobile filed a form 8-K with the Securities and Exchange Commission on January 19, 2023, which disclosed a significant data breach, exposing millions of customers’ to T-Mobile SIM swapping attacks.  According to the SEC disclosure, hackers first accessed T-Mobile’s system on November 25, 2022, but their activities were not detected until January 5, 2023.  The hacking attack leaves many current and former T-Mobile customers exposed to malicious activity, including SIM swapping.

Attorney Marc Fitapelli Discusses SIM Swap Attacks

Breach Impacted 37 Million Customers

According to the disclosure, T-Mobile identified that a malicious actor obtained data from an API, or application programing interface, without permission or authorization.  According to T-Mobile, the breach did not expose any customer credit cards, social security numbers or driver’s license information.  However, the incident did result in hackers accessing customer’s name, phone number, billing and email addresses and date of birth.  The incident impacted 37 million current prepaid and postpaid customers. The filing with the Securities and Exchange Commission warns T-Mobile investors that the company “may incur significant expenses in connection with the incident.”  

Customers are Vulnerable to T-Mobile SIM Swap Attacks

There are multiple ways hackers and other bad actors could utilize the stolen information, including SIM swapping attacks.  Sophisticated criminals know that individuals use their cell phones for dual factor authentication. SIM Swapping occurs when a criminal takes over a victim’s cell phone to receive an SMS two factor authentication code (2FA).  These codes are used to access bank accounts as well as accounts at centralized cryptocurrency exchanges, such as Coinbase. The recent T-Mobile data breach exposes millions of consumers to SIM Swapping attacks. To prevent such an attack, MDF Law recommends that users do not use cell phones for two factor authentication and, instead, use hardware tokens.  If users do use their cell phones for 2FA, they should contact their carrier and inquire about whether the SIM could be locked or prevented from porting.  

T-Mobile Likely Violated Federal Law

T-Mobile, like all cell phone providers, must protect customer’s personal confidential information under the Federal Communications Act, or FCA.  Under the FCA, a telecommunications carrier is prohibited from disclosing a customer’s “propriety network information” to unauthorized third-parties.  Civil penalties under the FCA include, the “full amount of damages sustained in consequence of any such violation…together with a reasonable counsel or attorney’s fee…” 

The regulations that accompany the FCA also provide that a customer must provide the telecommunications carrier with a password if a SIM swap request is made over the phone.  If a password is not provided, the carrier can only disclose information by sending it to the customer’s address of record or by calling the customer at the phone number of record.   If an individual requests a SIM swap at a store, the carrier may only disclose information to an individual who has a valid photo ID, which matches the customer’s account information on file.

Under the same regulations, cell phone providers must also notify customers “immediately” whenever there is a change to a password or address or if a customer requests a back-up means of authentication.  The provider is required to provide this notification either to the phone number of record (via voice or SMS) or by mail to the address of record.  Mobile carriers must also notify both customers as well as federal law enforcement if there is a breach of a customer’s propriety network information, or CPNI.   

Copy of the January 2023 SEC Filing

Were You a Victim of T-Mobile SIM Swapping?

If you or someone you know had an account at T-Mobile and was a victim of T-Mobile SIM swapping, our law office may be able to assist you. Please call 800-767-8040 or complete the form below for a free and confidential consultation.

Print this Article