According to a letter template published by the California Attorney General, T-Mobile is gearing up to send an unknown number of notification letters this month, after a file stored on a server maintained by one of their suppliers was accessed improperly.
From the letter:
"We are writing to inform you of a recent incident of unauthorized access to a file stored on servers owned and managed by a T-Mobile supplier. This file contained personal information, including name, address, Social Security number and/or Driver’s License number...
"Although we believe the primary goal of the access was to obtain credit card numbers (which were not included in the file), the information that was accessible could also potentially be misused. Our supplier has taken immediate measures to secure the impacted servers..."
T-Mobile is planning to offer customers identity theft insurance for up to one year due to the incident. Experian will handle the details.
The letter does a good job notifying the customer that something happened, but it also raises a few concerns. Who was the supplier? Why did they collect such personal information? How was it being stored? The letter mentions file, so was this a single Excel spreadsheet, or a database?
T-Mobile says the supplier detected the breach on November 26, 2013, but doesn't explain why customers are just now being told. There's also the question of scale. How many customers were impacted by the incident? Where are they located?
I've reached out to T-Mobile to see if they'll share additional data. In the meantime, if you're a T-Mobile customer impacted by this incident, you'll be getting a letter from the company sometime soon.
Hat Tip: Databreaches.net