T-Mobile

Overview

T-Mobile US, Inc. is the second-largest wireless carrier in the United States by subscriber count, with over 105 million customers. Headquartered in Bellevue, Washington and majority-owned by Deutsche Telekom AG (Germany), T-Mobile provides wireless services under the T-Mobile and Metro by T-Mobile brands. The company completed its contentious $26.5 billion merger with Sprint Corporation in 2020, consolidating the U.S. wireless market from four to three major national carriers.

T-Mobile holds the distinction of having suffered some of the largest and most damaging data breaches in U.S. telecommunications history. Between 2018 and 2023, the company experienced at least eight significant security incidents, with two of particular severity: a 2021 breach exposing data for approximately 76.6 million current, former, and prospective customers, and a 2023 API vulnerability exploited over six weeks that exposed account data for 37 million customers.

The frequency and severity of T-Mobile's breach history is exceptional even within the telecommunications industry, which is already recognized as a high-risk sector for security incidents. The 2021 breach alone represented one of the largest exposure events involving Social Security numbers, driver's license information, and account credentials in U.S. corporate history.

Despite its breach history, T-Mobile holds vast amounts of sensitive subscriber data including location history, call records, financial information, and device identifiers, data that is both commercially valuable and a significant privacy risk given the company's demonstrated security vulnerabilities.

Data Collection Practices

T-Mobile, as a wireless carrier, has access to extraordinarily sensitive data about its 105+ million subscribers:

Network-derived data:

• Real-time device location (cell tower, GPS, WiFi triangulation)
• Complete call and messaging metadata: numbers called, message recipients, timestamps, call duration
• Internet traffic metadata: domains visited, data volumes, connection times
• Device identifiers: IMEI, IMSI, SIM identifiers
• Roaming records indicating international travel
• Network performance data tied to device location

Account and billing data:

• Social Security numbers (collected for credit checks)
• Driver's license and government ID information
• Payment card and banking information
• Account credentials (username, password hashes)
• Credit inquiry history

Commercial data collection:

• Device usage patterns and app category usage via network monitoring
• Location analytics products derived from subscriber movement patterns
• Audience segmentation for T-Mobile advertising (T-Mobile Advertising Solutions)
• Cross-device behavioral profiles combining network and app usage data

T-Mobile Advertising Solutions is the company's first-party advertising data product, which uses subscriber location, device usage, and behavioral data to create audience segments for advertisers. The program allows T-Mobile to monetize its subscriber data for advertising purposes beyond core connectivity services.

Data sharing with third parties: T-Mobile has shared location data with third-party location aggregators, a practice that led to a 2019 settlement over sales of real-time location data to third parties who resold it for unauthorized purposes including bounty hunters and stalkers.

Known Clients & Government Contracts

T-Mobile's government relationships span surveillance compliance, public safety, and commercial contracting:

PRISM and NSA surveillance program: T-Mobile (and predecessor companies including Sprint, which T-Mobile acquired) participated in NSA surveillance programs including PRISM, providing communication records under legal orders. Telecommunications carriers are required to maintain CALEA-compliant intercept capabilities, and T-Mobile, like all major U.S. carriers, responds to lawful intercept requests and National Security Letters.

Law enforcement compliance: T-Mobile provides call records, location data, and device information to law enforcement through subpoenas, court orders, and emergency requests. The company's transparency report documents tens of thousands of government data requests annually.

First Responder Network: Through its 5G network, T-Mobile provides coverage for public safety communications, and its network infrastructure supports emergency services communication. The company's network serves as underlying infrastructure for critical communications including 911 services.

Enterprise government contracts: T-Mobile provides wireless connectivity to numerous federal, state, and local government agencies as a commercial wireless carrier, representing significant government revenue.

Location data sales (historical): T-Mobile, along with AT&T and Verizon, sold real-time subscriber location data to third-party aggregators including LocationSmart and Zumigo, which resold it to companies including Securus Technologies. This supply chain enabled prison authorities, and others with criminal intent, to track the real-time location of T-Mobile subscribers.

Privacy Incidents & Litigation

T-Mobile's breach history is among the most extensive of any major U.S. corporation:

2021 Major Breach (76.6 million records): In August 2021, T-Mobile disclosed a breach affecting approximately 76.6 million current, former, and prospective customers. The exposed data included full names, Social Security numbers, driver's license numbers, dates of birth, phone numbers, T-Mobile account information, and IMEI/IMSI device identifiers.

The attacker, a 21-year-old American who claimed to have accessed T-Mobile's systems through a vulnerable GPRS gateway, sold 30 million of the records on a criminal forum for 6 Bitcoin (approximately $300,000 at the time). The 2021 breach was considered particularly severe because the combination of SSNs, driver's license numbers, and device identifiers creates the raw materials for identity theft and SIM swapping attacks.

2023 API Breach (37 million accounts): In January 2023, T-Mobile disclosed that an API vulnerability had been exploited for approximately six weeks, during which attackers accessed account data for approximately 37 million customers. The exposed data included names, billing addresses, email addresses, phone numbers, account numbers, and service plan details.

The T-Mobile 2023 breach was notable because the API vulnerability had existed for over a month before detection, demonstrating persistent security monitoring failures. This breach occurred less than two years after the 2021 incident, indicating that T-Mobile's security remediation following the 2021 breach was insufficient.

FTC Settlement (September 2024, $15.75 million): The Federal Trade Commission reached a settlement with T-Mobile following investigation of the 2021 and subsequent breaches. T-Mobile agreed to pay $15.75 million to fund security improvements, establish a dedicated CISO reporting to the CEO and board, and implement comprehensive security improvements including zero-trust architecture, network segmentation, and mandatory multi-factor authentication.

The $15.75 million penalty was structured as investment in security rather than a traditional fine, reflecting FTC's recognition that T-Mobile needed operational security investment rather than punitive financial penalties.

Real-Time Location Sales to Bounty Hunters (2018-2019): Motherboard/VICE investigations revealed that T-Mobile (along with AT&T and Sprint) sold real-time subscriber location data to aggregators who resold it to bail bond companies, private investigators, and others, including cases where the data was used by bounty hunters to track individuals without legal authorization. T-Mobile had contracted to share location data with third-party aggregators for "location-based services," but those aggregators were selling access to criminal enterprises.

FCC investigations were opened, and T-Mobile eventually paid a portion of the $200 million proposed FCC fine (alongside AT&T and Verizon) following prolonged negotiations.

2015 Experian Breach: A breach of Experian, which processed T-Mobile credit applications, exposed data for 15 million T-Mobile applicants, including SSNs and driver's license numbers. While the breach was at Experian, the data was T-Mobile customer data processed by a vendor.

Threat Score Analysis

T-Mobile receives a composite threat score of 74/100, with the breach history score being the dominant elevated factor:

• Data Collection (80/100): As a wireless carrier, T-Mobile collects extraordinarily sensitive data including precise real-time location, call and message metadata, financial information, and government IDs for 105+ million customers. The combination of network-derived behavioral data with account data creates comprehensive subscriber profiles.

• Third-Party Sharing (65/100): T-Mobile's historical location data sales to third-party aggregators demonstrated inadequate controls over subscriber location data. The company's advertising products monetize subscriber behavioral data. Government law enforcement access is extensive but legally structured. Score is moderated because T-Mobile's core business is connectivity rather than data sales.

• Breach History (88/100): T-Mobile's breach history is exceptional, at least eight significant incidents between 2018 and 2023, with two breaches each affecting tens of millions of records. The 2021 breach's exposure of 76 million SSNs and government IDs represents one of the most consequential identity theft risk events in U.S. corporate history. Repeated breach occurrence despite stated remediation demonstrates systemic security culture failures.

• Government Contracts (60/100): T-Mobile participates in NSA surveillance programs, maintains CALEA intercept capabilities, and responds to tens of thousands of annual law enforcement data requests. The company is embedded in critical communications infrastructure. Government relationship is principally compliance-based rather than proactive intelligence selling.

• Transparency (45/100): T-Mobile publishes an annual transparency report disclosing government request volumes and compliance rates. However, the company's response to its breach incidents, characterized by delayed disclosure, downplayed severity estimates, and insufficient remediation, demonstrates transparency gaps. The FTC settlement required improvements to incident response and board-level security accountability.

Weighted calculation: (80 * 0.25) + (65 * 0.25) + (88 * 0.20) + (60 * 0.15) + (45 * 0.15) = 20.0 + 16.25 + 17.6 + 9.0 + 6.75 = 69.6, adjusted to 74 due to the extraordinary breach history affecting nearly 150 million records across multiple incidents, the exposure of SSNs and government IDs at scale, and the demonstrated pattern of insufficient security investment creating repeated large-scale exposures.

Transparency & Accountability

T-Mobile publishes annual transparency reports and maintains public-facing privacy documentation, but its accountability record is defined primarily by its breach response patterns:

The company's response to the 2021 breach followed a pattern common to large corporate security incidents: initial understatement of affected user count, gradual expansion of disclosed scope, delayed notification to affected customers, and offer of identity protection services as mitigation. The gap between T-Mobile's initial breach disclosure and full scope revelation undermined user trust.

The 2023 breach occurring within two years of the 2021 incident, and the API vulnerability going undetected for six weeks, demonstrated that T-Mobile's post-2021 security remediation was insufficient. The FTC's 2024 settlement reflected this assessment, requiring T-Mobile to implement fundamental security architecture improvements rather than simply incremental improvements.

T-Mobile has opposed comprehensive federal privacy legislation that would create data minimization and breach notification standards. The company's lobbying positions have generally aligned with telecommunications industry opposition to new privacy regulatory requirements.

The Sprint merger created integration challenges that may have contributed to security weaknesses during the 2020-2023 period, as T-Mobile integrated Sprint's legacy systems and infrastructure. However, these integration challenges were foreseeable and the company's security investment during the integration period was apparently insufficient.

The FTC settlement's requirement that T-Mobile's CISO report directly to the CEO and board of directors reflects a regulatory judgment that T-Mobile's security failures were, at least in part, governance failures, security was not treated as a board-level priority appropriate to the sensitivity of subscriber data the company collects.