T-Mobile's MVNOs could be roped into latest hack

Some of T-Mobile's mobile virtual network operators (MVNOs) may have been affected by the latest hack into the company's systems.

According to an article from 9to5Google, Google Fi recently began alerting some customers of "suspicious activity" related to the "primary network provider for Google Fi."

Specifically, Google Fi warned customers that data about their mobile service plan, SIM card serial number and account status may have been accessed, but that data including their email address, social security number and other information was not accessed. "There is no action required by you at this time," according to the message.

That warning dovetails closely with the hack reported by T-Mobile earlier this month. T-Mobile said a "bad actor" was able to obtain information on millions of its customers through an application programming interface (API) into its systems. The company said hackers walked away with names, billing addresses, emails, phone numbers and dates of birth from around 37 million customer accounts.

"There was no access to Google's systems or any systems overseen by Google," according to the Google Fi message.

Following the 2020 merger of Sprint and T-Mobile, T-Mobile is now the primary MVNO for Alphabet's Google Fi mobile service. Representatives from Google Fi and T-Mobile did not immediately respond to questions from Light Reading about the situation.

It's also unclear whether other T-Mobile MVNOs have been affected as Google Fi appears to have been affected. Representatives from Altice – a cable operator that offers mobile services via an MVNO agreement with T-Mobile – said "T-Mobile does not have access to Optimum Mobile customer data so no impact."

T-Mobile has been vocal about its interest in expanding its wholesale MVNO business following its merger with Sprint. However, the company lost Cox Communications' MVNO business to Verizon.

Interestingly, Google Fi recently provided some detail about how it handles its customers' data, following an FCC investigation into the matter. For example, the company said it processes data at Google data centers, "which are decentralized and located in many countries around the world. A Google Fi subscriber's data may be processed (and stored securely) at any of these data centers."

The company also said "Google Fi also shares limited types of data with Google affiliates as needed to: provide Google Fi services; process device purchases; bill and collect payments for Google Fi services and devices; troubleshoot potential issues with Google Fi services, devices, or the Google Fi account; verify identity; and protect from fraud, phishing, or other misconduct."

Related posts:

— Mike Dano, Editorial Director, 5G & Mobile Strategies, Light Reading | @mikeddano