T-Mobile says millions more people have been impacted by its than initially believed. In a Securities and Exchange Commission filing, the company an additional 6 million or so accounts were affected, taking the total to more than 54 million.
On Wednesday, T-Mobile that data from around 40 million former or potential customers had been compromised in a cyberattack. The data included names, birth dates, social security numbers, driver’s licenses and information from other types of identification. The company now says another 667,000 accounts of former customers were accessed, with attackers obtaining some personal data from those, but no SSNs or ID details.
In the previous disclosure, T-Mobile said approximately 7.8 million current holders of T-Mobile postpaid accounts were impacted, with attackers gaining at least some customers' personal data. The company now says phone numbers and IMEI and IMSI details (identifiers for mobile devices and SIM cards respectively) were compromised as well.
On top of that, T-Mobile has identified another 5.3 million affected postpaid accounts. No SSNs or driver’s license/identification details were compromised from those, the company said, but the attackers accessed other identifiable information.
Around 850,000 active T-Mobile prepaid customers have been impacted as well. The attackers may have garnered up to 52,000 names connected to current Metro by T-Mobile accounts too. Accounts of former Sprint prepaid and Boost Mobile customers are unaffected.
Other data was stolen in the cyberattack, including additional phone numbers and IMEI and IMSI numbers, but the company claims there was no personally identifiable information in those files. Meanwhile, T-Mobile still has "no indication" that customer financial details, such as credit card data, were affected.
A member of an underground forum to have data for more than 100 million T-Mobile customers. They reportedly attempted to sell information of around 30 million of those for about $270,000 worth of Bitcoin.
T-Mobile's investigation into the breach is ongoing and it will provide more details if it finds more affected accounts. The company says it's "confident that we have closed off the access and egress points the bad actor used in the attack" and that it has taken steps to mitigate the impact on customers. For instance, it has offered two years of identity protection service to anyone who thinks they might have been affected.