Latest T-Mobile Data Breach Tops the List of Notable August Compromises

• T-Mobile’s most recent 2021 data breach impacts 50+ million people. The exposed information includes Social Security numbers (SSNs), driver’s licenses, phone numbers, and International Mobile Equipment Identities (IMEIs) and International Mobile Subscriber Identities (IMSIs).
• According to Threatpost, Microsoft’s Power Apps management portal exposed the data of 47 businesses for months, including 38 million people’s personal records. The information exposed varies by company. However, it ranges from names, COVID-19 vaccination status, email addresses, and phone numbers to SSNs and job titles.
• Approximately 1.4 million people were impacted by a ransomware attack on St. Joseph’s/Candler Health System in Georgia that shut down the healthcare provider’s systems. Information compromised includes health insurance information, financial information and medical records information.
• Anyone impacted by a data breach should follow the advice in the notification letter, change their password to a long and unique passphrase and keep an eye out for phishing attempts that claim to be from the breached organization.
• For more information about August 2021 data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.
• If you believe you are a victim of identity theft from a data breach, contact the ITRC toll-free at 888.400.5530 or through live-chat on the company website www.idtheftcenter.org.

Notable August Data Breaches

Of the nearly 160 data events the Identity Theft Resource Center (ITRC) tracked in August, three stand out: T-Mobile, Microsoft and Georgia’s St. Joseph’s/Candler Health System (SJ/C). T-Mobile’s latest 2021 data breach highlights the jump in mobile breaches. The Microsoft data event is significant because it’s due to a flaw in a platform’s security. Finally, SJ/C exposed 1.4 million people’s personal information after a ransomware attack on the healthcare system.

T-Mobile

According to T-Mobile, identity criminals compromised T-Mobile’s systems. The company says hackers gained access to their testing environments and then used brute force attacks and other methods to make their way into other IT servers. T-Mobile located and closed the access point they believe was used to gain entry to their servers.

On August 17, T-Mobile confirmed that approximately 47 million people were impacted by their latest data breach in 2021. T-Mobile also said the data stolen from their systems includes personal information like customers’ names, dates of birth, Social Security numbers (SSNs), and driver’s license/identity information for current, past, and prospective customers.

However, in an update on August 20, T-Mobile said they discovered that phone numbers, as well as the typical numbers that allow a mobile phone to be identified and join a network (the International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identity (IMSI)), were also compromised in the third T-Mobile data breach since December 2020. T-Mobile identified another 5.3 million current customer accounts with one or more associated names, addresses, dates of birth, phone numbers, and IMEIs and IMSIs illegally accessed. For more information on the T-Mobile data breach and steps to take, click here.

Microsoft

According to Threatpost, research from UpGuard revealed Microsoft’s Power Apps management portal accidentally exposed the data of 47 businesses for months, including 38 million people’s personal records. UpGuard reports that Microsoft’s Power Apps platform was flawed in the way it forced customers to configure their data as private or public. The article says that Microsoft does not consider the data issue a vulnerability, rather a configuration issue that can be improved.

Information exposed varies per business. However, the personal information ranges from names, COVID-19 vaccination status, email addresses and phone numbers to SSNs and job titles. Some of the notable businesses impacted are American Airlines, Ford, the Maryland Department of Health and the New York City schools.

UpGuard says since disclosure of the issue, Microsoft released a tool for checking Power Apps portals for leaky data. Microsoft also plans to change the product so that permissions will be enforced by default. Microsoft’s data event is one of the first data breaches in 2021 the ITRC has seen due to a flaw in platform security. It is considered one of the rarest forms of data compromise.

St. Joseph’s/Candler Health System

On August 10, SJ/C, a healthcare system in Savannah, Georgia, released information on a ransomware attack on their systems. According to the news release, SJ/C found suspicious activity in its IT network and launched an investigation. The investigation determined that the incident resulted in an unauthorized party gaining access to its IT networks between December 18, 2020 and June 17, 2021 and launching a ransomware attack, making the systems inaccessible.

Nearly 1.4 million individuals were impacted by the data breach, both patients and employees. At-risk information includes SSNs, driver’s license numbers, patient account numbers, billing account numbers, financial information, health insurance plan member I.D. numbers, medical record numbers, medical and clinical treatment information and much more.

SJ/C says, following the incident, they have implemented and will continue to adopt additional safeguard and technical security measures to further protect and monitor its systems. The ITRC has seen similar incidents happen across the U.S., including at Scripps Health in San Diego, California.

What to Do if These Breaches Impact You

Anyone who receives a data breach notification letter should follow the advice offered by the impacted company. The ITRC suggests you immediately change your password and switch to a 12+-character passphrase, change the passwords of other accounts with the same password as the breached account, consider using a password manager, use multi-factor authentication with an app (not SMS/Text) and to keep an eye out for phishing attempts that claim to be from the breached organization.

T-Mobile recommends all eligible customers sign up for scam blocking protection through the company’s Scam Shield as protection from the latest data breach in 2021. They are also directing people to a customer support webpage with breach information and access to tools.

SJ/C has a toll-free incident response line to answer people’s questions about the latest data breach in 2021. Anyone can call 855.623.1933 Monday through Friday between 8 a.m. and 5:30 p.m. EST. Additional information is available at www.sjchs.org.

notified

For more information about August data breaches in 2021, or other data compromises, consumers and businesses should visit the ITRC’s data breach tracking tool, notified, free to consumers.

Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact the ITRC

If you believe you are the victim of an identity crime or your identity has been compromised in a data event, you can speak with an ITRC expert advisor toll-free by phone (888.400.5530) or live-chat. Just go to www.idtheftcer.org to get started.