T-Mobile has confirmed that it was aware of SIM swap attacks affecting what it said was a “very small” number of customers, Bleeping Computer reported Wednesday (Dec. 29).
The carrier said the impacted customers had been informed already.
A SIM swap attack is when social engineering is used to get customers to switch phone numbers, letting attackers take over. As phone numbers are connected to other things like emails and bank accounts, sensitive information can be in play in those situations.
According to T-Mobile, the attack had been mitigated and the issue fixed. However, there were no other details available for the attack, such as the number of customers affected or how the SIM swap had happened.
In an earlier data breach in August, the attackers were able to glean phone numbers, addresses, birth dates, social security numbers, driver’s license and ID info and more for over 50 million people, which the attackers then offered for sale.
T-Mobile CEO Mike Sievert said then that the company was sorry for the breach and that it had been the result of a “bad actor” who had made use of the T-Mobile tech systems to gain access to testing environments. He said that brute force was used on the IT servers.
T-Mobile is taking preventative measures, including entering into a long-term partnership with cybersecurity experts at Mandiant along with KPMG, a consulting firm. The company said it’s going to continue to invest in security improvements for years.
SIM swaps have become common in recent years, and the Federal Communications Commission (FCC) even took up the issue earlier in 2021, with PYMNTS writing that the organization had received numerous complaints of harm.
See also: FCC Takes on SIM Swapping With More Stringent ID Security Recommendations
The FCC plans to change the rules, making it so carriers need to have more secure ways to authenticate customers before redirecting the phone numbers to new devices. In addition, the FCC proposed making it so that providers will notify customers whenever a SIM change or port request happens on the customer’s account.