What is T-Mobile Data Breaches?

T-Mobile has been breached so many times it's become a case study in corporate security negligence. At least nine known breaches since 2018 have collectively exposed data on over 100 million customers.

The Breach Timeline

Year	What Happened	Records Affected
2018	Personal data exposed	2 million
2019	Prepaid customers' data	1 million
2020	Customer proprietary network info	200,000
2021 (March)	SIM swap attack data	Unknown
2021 (August)	Massive breach — SSNs, driver's licenses	76.6 million
2022 (January)	SIM swap attacks	Unknown
2023 (January)	API exploitation	37 million
2023 (May)	Account PINs, SSNs	836
2024	Network intrusion (Salt Typhoon)	Unknown

The 2021 Breach (Most Severe)

• A 21-year-old hacker exploited an unprotected router
• 76.6 million current, former, and prospective customers affected
• Exposed: names, dates of birth, Social Security numbers, driver's license numbers, phone numbers, IMEI numbers, account PINs
• Data was offered for sale on dark web forums for 6 bitcoin (~$270,000 at the time)

Why Repeat Breaches Matter

It Shows Systemic Failure

One breach is an incident. Nine breaches is a pattern of negligence. T-Mobile has repeatedly failed to invest adequately in security despite holding extremely sensitive data.

Telecom Data Is Especially Dangerous

Your phone carrier knows your real identity (verified by SSN and ID), your location (cell tower data), your call records, your text messages, and your browsing habits. A telecom breach is more invasive than most.

SIM Swap Exposure

Breached T-Mobile data has been used to facilitate SIM swap attacks, where criminals port your phone number to steal two-factor authentication codes.

Regulatory Response

• $500 million FCC settlement (2024) — $150 million fine + $350 million for security improvements
• Required to implement zero trust architecture
• Required CISO with direct board reporting
• This was the largest data security penalty in FCC history