A recent data breach exposed the names, Social Security numbers, and other identification information of just over 40,000,000 people who applied to T-Mobile credit, the company announced Wednesday.

It appears that the same data was stolen from approximately 7.8 million T-Mobile customers paying monthly for their phone service. It stated that no phone numbers, account numbers or PINs were stolen from nearly 50 million records.

Although T-Mobile has been affected by data theft before, Paul Furtado, Gartner analyst, said that the latest breach “the sheer number far exceeds the previous breaches.”

After buying rival Sprint, T-Mobile, a company based in Bellevue (Washington), became one of the largest cell phone service providers in the country. After the merger, it reported that it had 102.1 million U.S. clients.

Furtado stated that while they do have a large target on their back, it shouldn’t surprise them that they are targeting it. You have to question the organization. What level of seriousness and how much do they address these breaches?

T-Mobile also confirmed Wednesday the exposure of approximately 850,000 T-Mobile prepaid account numbers, customer names, and phone numbers. T-Mobile stated that all PINs were reset on these accounts by the company. There were no Metro by T-Mobile, Sprint prepaid customers, or Boost customers whose names or PINs were exposed.

Additional information was also found from inactive prepaid account accessed via prepaid billing files. T-Mobile stated that the file contained no financial information, credit card information or payment information from customers, nor Social Security numbers.

T-Mobile earlier this week stated that it was investigating a data leak after an individual offered to sell personal information from cellphone users.

Monday’s statement by the company stated that it had confirmed that there was unauthorised access to “some T-Mobile Data” and that it had shut down the entry point that allowed access. In response to Tuesday’s concern from a customer, CEO Mike Sievert tweeted: “If you were affected…you’ll hear back from us soon.”

Now, the company says that it will offer two years of identity protection services free of charge and is now recommending to all its postpaid customers (those who pay monthly installments) to change their PIN. The investigation continues.

T-Mobile has disclosed data breaches in the past, including in Jan. 2019, Nov. 2019, and Aug. 2018. All of these incidents involved unauthorized access of customer information. T-Mobile also revealed a 2020 email account breach that affected its employees. In 2015, hackers stole the personal information of approximately 15 million T-Mobile wireless users and potential customers in America. They obtained it from Experian, a credit reporting agency.

Allie Mellen, analyst at Forrester, said that it was a serious indictment of T-Mobile. She also wondered if these customers would be willing to work with T-Mobile again. “Ultimately, T-Mobile has a lot sensitive information about people. It’s just a matter luck that the information affected wasn’t financial information.”

The hack, she said, didn’t seem particularly complex and was a configuration problem on a server that is used to test T-Mobile phones.

Mellen stated that there was a gate open for attackers. They just needed to find it and enter it. “And T-Mobile wasn’t aware of the attack until the attackers posted it on an online forum. This is really concerning and doesn’t give any indication that T-Mobile has adequate security monitoring.”