Why you can’t ignore the hackers and data breaches, like one at T-Mobile

Given all the stressors of late — flooded basements, job insecurity, the ongoing pandemic, fears that the delta variant will cause more havoc ahead — I’d daresay many people aren’t worrying a lot about data breaches and ID theft.

But the crooks aren’t giving up.

T-Mobile confirmed recently that it was hit by a “highly sophisticated cyberattack” that exposed names, dates of birth, Social Security numbers and driver’s license information for more than 40 million consumers who had applied for credit with T-Mobile.

No phone numbers, passwords or account numbers were reportedly compromised, according to the company. But some question whether that statement ultimately will be updated to indicate that phone numbers were compromised. Some data and screenshots shared by hackers suggest otherwise, according to a report by KrebsOnSecurity.

“T-Mobile customers should expect to see phishers taking advantage of public concern over the breach to impersonate the company — and possibly even messages that include the recipient’s compromised account details to make the communications look more legitimate,” according to a warning at KrebsOnSecurity.

T-Mobile also reported that it confirmed that about “850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed.”

The company said it proactively reset all the PINs on those prepaid accounts.

Other customers, though, are encouraged to change their PIN by going online into their T-Mobile account or calling the company’s team by dialing 611 on their T-Mobile phone.

Paige Schaffer, CEO of global identity and cyber protection services at Generali Global Assistance, said some people may even want to temporarily delete some of the apps, such as their banking app or credit card app, that they have on their phones as this investigation continues.

If you keep passwords on your phone — which you shouldn’t do — she said you’d want to make sure to delete those passwords, too.

Hacking incidents may seem so common that we only pay attention to big ones these days. But consumers have to be aware that they now must pay closer attention as more information relating to them could be in the hands of bad actors.

“The pandemic hasn’t helped things. It made the climate ripe for fraudsters,” Schaffer said.

T-Mobile has not said if IMEI numbers — which are unique identifiers tied to your phone — were compromised.

If those numbers get out there, experts warn there’s a greater threat that bad actors would be able to take over accounts and possibly access your bank account via the app on your phone at some point. International Mobile Equipment Identity numbers are not as commonly available to crooks, as say your birth date, name and Social Security number, so they can be quite valuable to hackers.

Schaffer noted that consumers access a great deal on their phones, making the risks of a SIM-swap —where your phone’s number can be stolen — quite concerning. Carriers put safeguards in place but the possibility of outsiders taking over your phone number exists, if the right information is available.

Someone who is able to control your phone number can control your online world.

Hackers, of course, have plenty when they’re dealing with stolen Social Security numbers and other ID.

Stolen ID information can be used for all sorts of nefarious activities including enabling crooks to open a credit card in your name, apply for jobless benefits using your ID, rent an apartment, get a job using your Social Security number, file fake tax returns to steal tax refund cash and commit medical identity theft.

“The T-Mobile breach is of great concern, especially for the 40 million people whose names, Social Security numbers and driver’s license details were exposed,” said Adam Levin, founder of CyberScout and host of the podcast “What the Hack with Adam Levin.”

Levin said the possible crimes are nearly limitless and called the information “an El Dorado for scammers and identity thieves.”

Unfotunately, Levin said, the general public has become numb to the endless news cycle of data breaches, cyberattacks, ransomware attacks and phishing campaigns.

“Telecommunication carriers are ideal targets for threat actors,” Levin said.

“Even a smaller carrier like T-Mobile with roughly 10% market share still represents tens of millions of customers and massive troves of data,” he said.

Hackers, though, are looking at all sorts of targets, not just big brand name companies.

The Internal Revenue Service, for example, warned in August that identity thieves continue to target tax professionals and others.

Susan Allen, senior manager on the tax practice and ethics team at the American Institute of CPAs, said the COVID-19 pandemic spawned many tax scams and identity theft issues.

Con artists had more of an incentive to try to tap into the stimulus payments provided during the pandemic, as well as expanded unemployment benefits.

She noted that the IRS’s Dirty Dozen list of tax scams for 2021 highlighted theft relating to such things as economic impact payments and tax refunds, phishing schemes, and unemployment fraud leading to incorrect Forms 1099-G, and many more scams.

Taxpayers, for example, are warned to watch out for text messages, random incoming phone calls or emails that request information about bank accounts or ask someone to click a link or verify data relating to any stimulus payment.

The IRS isn’t contacting people by phone, email, text or social media asking for Social Security numbers or other personal or financial information related to Economic Impact Payments.

“There are telltale signs of identity theft that tax pros can easily miss,” IRS Commissioner Chuck Rettig said in a statement.

Signs of fraud include seeing a tax return rejected because someone’s Social Security number was already used on another return. Or suddenly receiving tax-related emails that your tax professional really didn’t send.

The IRS warned tax professionals to watch out for other signs, including:

—Seeing a computer cursor move or change numbers without touching the mouse or keyboard.

—Hearing from clients who are reporting receiving IRS Authentication letters — such as 5071C, 4883C, and 5747C — even though they haven’t filed a return.

Victims, for example, might receive an IRS notice that shows they received wages from somewhere they never worked. Or if you’re retired, you might even receive a notice from the Social Security Administration stating benefits will be reduced or stopped because IRS records show you’ve been working and getting paid when you actually weren’t.

While it might be tempting to just ignore another data breach or oddball signs of ID theft, experts say it’s best to pay attention to what’s going on.

Take advantage of any credit monitoring services being offered, such as the two years of free identity protection services through McAfee being given to T-Mobile customers.

Check your credit report for free at AnnualCreditReport.com. One out of three consumers has never checked their credit report, according to earlier research conducted by The Harris Poll on behalf of the American Institute of CPAs.

Think carefully about freezing your credit file for free through the three main credit bureaus — Equifax, Experian and TransUnion. You’d need to contact each bureau individually for a freeze. See information at:

Equifax: www.equifax.com/CreditReportAssistance

Experian: www.experian.com/freeze

TransUnion: https://freeze.transunion.com

A freeze is a free service that will help prevent new accounts from being opened in your name. Putting a freeze on your credit will not hurt your credit score. You would have to remove that freeze before you can apply for a car loan, a credit card or other loans yourself, though.

You are able to access any credit cards or lines of credit that you’ve already opened even if you have a credit freeze. Criminals could still try to tap into existing accounts, too, so watch your statements.

Change your passwords, as you should do regularly anyway.

Sure, who has the energy for another data breach? Yet being too worn out to make a move gives the hackers an edge.


(Susan Tompor is the personal finance columnist for the Detroit Free Press. She can be reached at stompor@freepress.com.)

©2021 Detroit Free Press. Distributed by Tribune Content Agency, LLC.