T-Mobile data breach: Tips to protect yourself

Hack involving tens of millions of customers is a wake-up call for all of us to protect our information.

Aug. 20, 2021
By Teresa Murray and Hannah Rhodes

The scope of the T-Mobile data breach has grown as the week went on. First, T-mobile said it was about 48.7 million current, former or prospective customers. Now it’s about 54.7 million. For some people, it includes Social Security numbers and driver’s license numbers. But not for others. Meanwhile, the hackers say they have personal data on 100 million people. No one seems certain right now, and it really doesn’t matter when it comes to the steps consumers should take.

Long before this breach, you should have assumed some or all of your personal information was compromised during the massive Equifax breach that affected about 150 million — half of U.S. adults in 2017. And it involved information that you can’t change as easily as you can change a password or even an email address. Or maybe your information was hacked during one of the other major incidents of the last decade that involved a health insurer, a major retailer, a major hotel chain or the Internal Revenue Service.

Bottom line: This T-Mobile data breach may be another wake-up call to take steps to protect yourself. If you weren’t caught up in this one, you unfortunately could be a victim of the next big hack. Fraud/ identity theft is the No. 1 complaint to the Federal Trade Commission, with 2.2 million complaints last year. Consumers reported losing $3.3 billion last year, up from $1.8 billion in 2019.

Here’s what you should do, regardless whether you’ve ever done business with T-Mobile:

  1. Whether you are a customer of T-Mobile or not, be on guard for emails, texts or phone calls from someone posing as a T-Mobile employee who wants to help you. Don’t provide or confirm any personal information to a caller you weren’t expecting. Just hang up politely. If you think the call could be genuine, contact the company at a number you look up independently, preferably using your account statement.

  2. If you used your T-Mobile password or PIN on any other account, change the information on your other accounts immediately.

  3. If someone has your personal information, they may be able to use that and some social engineering to hack into existing bank, credit card or investment accounts. Account takeovers, which involve a criminal gaining access to an existing account, soared by 72 percent in 2019, according to Javelin Strategy & Research.
    So you should make sure your contact information is up to date with the banks, credit cards, investment firms and other financial institutions you do business with. You’d be surprised to learn how many people have fraud on their accounts and don’t find out quickly because companies don’t have a customer’s current cell phone number or even a correct email or mailing address.

  4. With any company that offers it, opt in for two-step authentication for online access. This requires more than just your username and password. It requires a one-time code that is sent almost immediately by text or email and that you need to actually log in.

  5. Sign up for transaction alerts with your financial accounts, so that you get text alerts or email messages about any withdrawals or transactions above a certain dollar amount, new transfers, payees added or any changes in contact information.

  6. Protect your cell phone and primary email account that you use for financial accounts above all else. If someone is trying to breach one of your accounts and tries to reset your password, the notifications will generally go to your cell phone or email of record. Make sure the password for your primary email account isn’t used on any other account you have. 
    T-Mobile said the thieves accessed serial numbers for some customers’ phones. When combined with other information, this could allow someone to fraudulently take over someone’s phone line. Contact T-Mobile for specific next steps on your account.

  7. Watch out for links in emails or text messages that you weren’t expecting that bait you to click on them out of fear or curiosity. Your bank, credit card, the IRS, FedEx, etc. will never send you links asking for your login password or Social Security number or anything like that. If you get an email or text unexpectedly that you think could be legitimate, contact the company or agency at a number you look up independently. Even if you don’t enter information, just clicking on the link could infect your phone or computer with a virus that steals your information.
    The same advice applies to messages on social media, such as Facebook. It’s common for information-stealing viruses to be sent with a message like, “Is this you in this video?” Your instinct is to click and look at what the sender is talking about. Don’t give in to the temptation.

  8. Strongly consider putting a freeze on your credit files with the three major credit bureaus. You should be able to do all three in less than 20 minutes total. Check out our step-by-step guide. To do it by phone: Equifax, 800-685-1111; TransUnion, 888-909-8872; and Experian, 888-397-3742. Freezes prevent someone not only from opening credit accounts in your name, but also block someone from fraudulently creating online accounts with the IRS and Social Security Administration. (You want freezes, not locks or fraud alerts.)

  9. If you’ve put freezes on your credit files, great. But don’t get complacent. Remember that 88% of identity theft involves existing accounts. Freezing your credit files does nothing to protect your existing credit cards, loans or accounts. And a credit freeze doesn’t protect your deposit accounts.

  10. T-Mobile likely will offer identity theft monitoring. Or you may already have such a service. Either way, realize that most of these services don’t prevent identity theft — they just notify you once a problem has been detected. Your goal should be prevention.

  11. This old advice is always good: Check your credit reports regularly to make sure there are no accounts or inquiries you don’t recognize. In normal times, you’re entitled to one free credit report per year from each of the three major credit bureaus. Right now, through April, you’re entitled to one free report each week from each of the three bureaus. For the long term, the best strategy is to order a report from a different bureau every four months.

    Go to annualcreditreport.com or call 1-877-322-8228. You’ll be asked to provide your name, address, Social Security number, date of birth and other personal details. If there’s any inaccurate information on your credit reports, use the dispute process to get the information removed or corrected.

  12. If there are actually accounts on the credit reports that aren’t yours, you need to do more. Contact the creditors directly by phone to find out whether these are mistakes or whether you’re the victim of more serious identity theft. If it’s the latter, you should take additional steps to protect yourself, including filing an identity-theft affidavit with the Federal Trade Commission (it will provide you with prewritten letters to send to creditors). The FTC site is great and even has a chat function.

  13. Keep an eye out for paper mail addressed to someone else that uses your address, or mail addressed to you that makes no sense: denials for loans you didn’t apply for, health insurance statements for medical visits you didn’t have, etc. Contact the sender by mail to get to the bottom of it.

  14. For financial accounts online, don’t use the same password on more than one account. If there’s a breach or your account gets hacked, the thief can obviously do more damage if they can get into more accounts.

  15. Never use a password that you use for a social media account such as Facebook or Twitter or Instagram on any other account, and especially not your email account or any financial account. Social media platforms are hot targets for hackers.

  16. Whether you get your statements by mail or online, know when to expect them each month and reach out if something is missing. It could be a sign someone has intercepted the item or changed your contact information.

  17. Pay attention to your credit scores provided on any of your credit card accounts. While the scores may be different than your actual FICO score, they shouldn’t change dramatically from month-to-month. If they do and you’re not sure why, you need to find out. It could be a sign of fraud.

  18. Be careful about joining WiFi networks in restaurants, hotels or other public areas. Many identity thieves create look-alike networks. Maybe instead of HILTON HOTEL, the imposter network is called H1LTON HOTEL. On a small screen, it can be difficult to tell the difference.

  19. Consider buying a locking mailbox. A lot of important personal information can be stolen if someone raids your mailbox.

  20. Consider whether it makes sense to sign up for online statements from entities such as your employer, your bank, your credit card company, etc., so that you don’t have to worry about the items getting in the wrong hands.

  21. Buy a shredder and use it to destroy sensitive documents.