It looks like T-Mobile USA will be sending out breach notification letters to customers after the New Year.
A template of their notification letter, uploaded today to California’s breach site, explains:
We are writing to inform you of a recent incident of unauthorized access to a file stored on servers owned and managed by a T-Mobile supplier. This file contained personal information, including name, address, Social Security number and/or Driver’s License number. In your case, the party or parties making the unauthorized access may have viewed your <insert data type >. This access was discovered in late November 2013.
Although we believe the primary goal of the access was to obtain credit card numbers (which were not included in the file), the information that was accessible could also potentially be misused. Our supplier has taken immediate measures to secure the impacted servers.
According to T-Mobile USA’s notification to California, they discovered the breach on November 26. It is not clear when the breach occurred or when the supplier first discovered it.
The total number of customers affected was not indicated.
I imagine some customers are going to be angry that a breach discovered in November will first be disclosed in January. Affected customers are being offered a year of Experian’s ProtectMyID Elite.
Update 1: The breach was also reported to New Hampshire, where 14 residents were affected.
Update 2: the breach was also reported to Maryland, where 280 residents were affected.