T-Mobile Shouldn't Be Storing the Sensitive Financial Information of More Than 40 Million Non-Customers

WASHINGTON — Early Wednesday, Bloomberg reported that T-Mobile’s recent data breach included the theft of sensitive information about 7.8 million current users and more than 40 million past or prospective customers who had had their credit checked by the carrier.

The stolen data include full names, birthdates, Social Security numbers and other personal-identification numbers.

The report reveals that T-Mobile routinely retains critical information about people who don’t currently subscribe to its services. The company has a history of data breaches that include incidents in 2018 and 2019, when hackers gained access to the names, billing addresses, phone numbers and other account details of approximately 15-million customers. The recent theft is among the largest thefts of Social Security numbers, following a 2017 breach of Equifax data that exposed the numbers of about 143 million people.

Free Press Research Director S. Derek Turner made the following statement:

“It seems every few weeks brings news of hackers exploiting the negligence of massive corporations to steal the most sensitive personal information of their customers. T-Mobile’s latest breach — its third in four years — is particularly troubling, with hackers accessing Social Security numbers, birthdates, drivers licenses and other deeply sensitive information of tens of millions of people who aren’t even T-Mobile customers.

“T-Mobile collected this information to run credit checks because its business model involves bundling phone service with expensive devices, which customers pay off over a multi-year period. Research demonstrates that credit checks perpetuate systemic racism and worsen the digital divide. The use of credit checks — and their disproportionate harm to people of color — is an area that demands attention from policymakers.

“The financial and emotional damage from having your Social Security number stolen is real and devastating. T-Mobile owes the nearly 50 million people who had their most-sensitive personal information stolen far more than free credit monitoring or a perfunctory apology and useless reiteration of how seriously it takes this.

“Why did T-Mobile retain the sensitive personal information of 40 million people who aren’t current customers or who were never customers? Why is it legal to retain this information at all? Was T-Mobile too distracted by its merger with Sprint to protect this information from hackers?  

“By now it should be clear to everyone — especially policymakers and corporations — that hackers will not stop trying to get their hands on our most sensitive personal data. It should also be clear that corporations are not willing to do what it takes to prevent these breaches. Nor are they willing to appropriately compensate the victims of their negligence.

“The government must hold these corporations accountable. Company use of sensitive information like Social Security numbers should be strictly regulated. And corporations should face severe liability if they fail to keep this information secure.

“Congress, the FTC, state legislators and attorneys general all have a role to play here. Regulators must investigate T-Mobile’s actions after the 2018 and 2019 breaches that preceded the recent incident to see if the company acted carelessly or violated any existing laws. And while holding T-Mobile accountable is critical, policymakers need to go much further to protect everyone from the consequences of lax corporate-security practices and unnecessary data retention. The time to act is now.”