There seems to have been a large T-Mobile data breach. Even though our traffic is carried by T-Mobile, I don’t recall ever giving RW my SSN, drivers license number, or address, so I’m thinking any evil hackers don’t have useful information on us. Yay Republic Wireless!
Like most prepaid providers Republic does not collect SSN or driver’s license information. Republic does, however, store addresses as part of billing information.
I’ve been a Republic member since 2014. In that time, I’m not aware of any information breaches at Republic. To some degree, it’s an additional benefit of doing business with a smaller provider. Generally, hackers are fishing in larger ponds.
Are there any concerns over RW customer data being involved in the recent T-Mobile data breach? Seems like this is becoming a regular event with T-Mobile.
Hi Bill, maybe Roland’s answer in this thread helps answer your question:
By the looks of it, I think we’re okay.
The real question is not what information you’ve given to RW, but as an MVNO does Republic give any of it’s customer information to T-Mobile? Can anyone answer that for sure? I don’t see that there would be a need, RW is really T-Mobile’s customer not any of us.
I’m confident your intuition is correct. Republic is indeed T-Mobile’s customer and not us, therefore, no need for Republic to share customer specific information with T-Mobile.
I imagine there is certain information about our phones that Republic needs to share with T-Mobile, so that they receive cellular service on T-Mobile’s network. For example, a phone’s SIM card number (ICCID) and a phone’s electronic serial number (IMEI). With a traditional provider, I’d imagine our phone number as well. Given Republic phones use a second number on the cellular network, I’m thinking Republic need not necessarily share our public facing number with T-Mobile. For those wondering what the second number I refer to is all about, please see here: How to find your phone's secondary number and stop unwanted calls to that number.
As I understand the information that was breached, it was customer information rather than network service information.
My question is why do companies need so much information to do business with their customers these days ? Social Security numbers, addresses, phone numbers the list is endless. The answer of course is they sell this information to other companies. Then when all this personal information is stolen by hackers all we get is a big fat ‘we are so sorry’ and we are left to clean up the consequences. Some day some smart young lawyer is going to see the injustice in this and hold them accountable with a big fat lawsuit.
It’s likely the highly personal information was a result of a credit check for postpaid customer applicants. This information should have likely been destroyed after the credit check was complete. Believe me, companies are getting the message. I can’t tell you how many hours of information protection training I’ve been subjected to as an employee of a Fortune 50 company. It does take a while to turn the ship, however.
Given T-Mobile’s most recent disclosure that they discovered an additional large group of users whose data was compromised, I’d feel a whole lot better if there was an official statement from RW.
So far, nothing on the RW home page, nothing here.
I appreciate other users and users with titles weighing in, but, as you say, you are just speculating. Aren’t we entitled to know if we’ve been compromised, or at least what data on us T-Mobile has (had?)
If, through the monitoring that the government and other financial institutions are paying for because of their past data losses, I become aware of what looks like my phone data out there and RW has said nothing, I won’t be a happy camper.
For context, I wouldn’t object to an “official” statement but I am uncertain what it is folks would want Republic to say. I’m not aware of any other MVNO using T-Mobile network coverage issuing statements regarding T-Mobile’s breach.
This is the disclosure of the apparent compromise of Metro by T-Mobile customer information? If so, it would be important to note Metro is owned by T-Mobile. Republic, of course, is not owned by T-Mobile. Metro’s customer information is maintained on T-Mobile servers. Republic’s customer information is maintained on its own servers.
Republic is T-Mobile’s customer. There is no reason or need Republic would share individual customer information (name, address, payment method, etc.) with T-Mobile. Much of the information said to be compromised, such as social security numbers and credit bureau information, Republic doesn’t have to share because as a prepaid no-contract provider Republic doesn’t collect it.
Clearly, Republic must share some information regarding our phones in order for those phones to work on one of T-Mobile’s networks. This is admittedly speculation but I would expect that includes our phone(s)’ IMEI (electronic serial number), our phone(s) SIM’s ICCID and possibly our telephone numbers. I say possibly on our telephone numbers because, yes more speculation, though T-Mobile provides cellular coverage for Republic activated phones, our public facing phone numbers are on the Voice over Internet Protocol (VoIP) network of Bandwidth.com. This might actually be an advantage to Republic’s proprietary implementation of blended WiFi/cell service. None of the information about our phone(s) alone or in combination would be enough to access Republic account information.
Two things I suggest every Republic member consider, if not already done, as general good security practice not as a specific response to the circumstances at T-Mobile would be setting an account PIN and enabling multi-factor authentication for their account:
I have been worried since a week or two ago, a message briefly flashed on my phone, “Address change notification.” It was gone in seconds & I can’t find any reference to it now. Haven’t noticed any other unusual happenings yet. Except, recently was unable to call a relative in the next state, call didn’t ring there. Just heard about this T-Mobile breach, so doubly worried.
Thanks for sharing your concerns and/or comments on this matter. I’ve posted our official response to this news in the following Community Announcement:
Thanks, Southpaw. I knew you’d have something for us eventually.
Roland offered the thought that T-Mobile might need and have our phones’ ICCID and IMEI, and the statement didn’t address that. Given that some press reports suggest that those two pieces of data were compromised for T-Mobile customers, could you address whether T-Mobile has that data for us? I’m assuming that such data couldn’t be matched to our personal information, but it would still be useful to know.
I’d also like to say that I’m disappointed that there wasn’t a prompt response to us from the boss at Republic when news of the breach hit the media. I’m sure the merger might be all time-consuming, but keeping its customers informed is something Republic generally does. I don’t care who actually writes the response, but it should go out to all Republic users under his signature via email or a press release. I suspect only a small number of Republic users read the forums, and those aren’t the only ones who might want to know.
Thanks again for responding to this topic. I’m sure getting the official answer wasn’t the easiest thing ever.
Thanks for your feedback. I’m sorry to see our response hasn’t met your expectations. Please know that although the announcement in our Community was posted by me, it is the official statement, authored and approved collaboratively within our organization including our entire leadership team.
While T-Mobile does store ICCID and IMEI numbers, there is no personal information about our members stored within the ICCID and IMEI information nor in T-Mobile databases.
Rest assured, if this were an incident that impacted our Republic Wireless members, we would notify broadly and ensure adequate steps were taken. For those who don’t view our Community, our Help Team is sharing the link to our announcement with those who inquire.