Hackers are claiming to have a dataset linked to Deutsche Telekom for sale, raising fears of large-scale identity fraud. The claims appeared on a well-known underground marketplace, but the company says the data is fake.
Headquartered in Bonn, Germany, Deutsche Telekom is one of Europe's largest telecommunications companies, with a customer base exceeding 300 million worldwide. The company holds a 53% majority stake in T-Mobile US.
According to the attackers, the stolen data includes government-issued ID numbers, banking details, and other personally identifiable information (PII). Such data, if proven legitimate, can be exploited for massive fraud operations and targeted social engineering attacks against Telekom customers.
Passport numbers allegedly stolen from Deutsche Telekom
The Cybernews research team has reviewed the data samples that came along with the post. The data samples included customers’ PII, such as:
- First names
- Last names
- Dates of birth
- Passport numbers
- Phone numbers
- Addresses
- Subscription data such as ID, tariff plan name, price, and bank account number.
Among the most sensitive elements exposed are passport numbers, which significantly raise the risk of identity theft and targeted fraud.
Our researchers also found that some of the exposed email addresses had appeared in older historical breaches, suggesting that at least part of the data may overlap with previously compromised records.
The allegedly exposed PIIs are tied not only to individual users, but also to affiliates and associated companies.
Is the data authentic?
Cybernews researchers see signs of authenticity in the claims, but there are some inconsistencies that raise questions.
Several indicators suggest the dataset could be legitimate, particularly because the exposed subscription plans and tariff information appear to align with offerings published on Telekom’s official website.
“The tariffs and affiliate plans correspond to the official Telekom website, and the user emails also appear valid,” our team noted.
“But the addresses do not match the postcodes in some cases, which raises suspicion.”
"It's compiled data:" Deutsche Telekom denies any breach of its systems
Deutsche Telekom has since denied to Cybernews that the leaked data originated from the company, stating that its security team had already analyzed the dataset in question.
According to its spokesperson, addresses and postcodes do not match, and the customers present in dataset "do not exist" in the company's systems.
“Someone has compiled data that comes from phishing campaigns against private individuals and has already appeared on the net several times. This data has been enriched with further information that appears to be fictitious," the spokesperson said.
“Deutsche Telekom analyzes all reports of suspected data thefts and takes them very seriously. To this end, we observe both public and non-public, specialized sources. However, it often turns out that such data sets do not contain authentic information.”
“This also seems to be the case with this data set, according to our experts who analyzed it already. This phenomenon is becoming increasingly common. The motives are very different,” they added.
Escalating attacks on the telecommunications sector
The sheer volume of sensitive data that telecommunications companies hold makes them irresistible to both financially motivated cybercriminals and state-sponsored actors.
Recent years have seen a dramatic escalation in attacks, with major providers such as Odido, AT&T, Colt, and Rostelecom all falling victim.
In February, Dutch telecom operator Odido suffered a massive cyberattack by the hacking group ShinyHunters, who impersonated an IT employee and successfully breached the company's systems, exposing personal data of 6.2 million customers.
ShinyHunters threatened to leak 21 million records and began dumping 2 million records daily after Odido's CEO refused to pay the ransom, stating that "criminals should not be rewarded."
In April, a massive DDoS attack on Russia's Rostelecom disrupted the internet and banking across 30 cities.
Last year, South Korea saw three of its largest telecoms, SK Telecom, KT, and LG Uplus, compromised.
Nation-state actors pose a particular threat to the telecom sector. This year, a China-affiliated group known as Red Menshen has been caught embedding covert spy tools deep within global telecom infrastructure, essentially hijacking the networks that entire populations rely on for daily communication.
In 2024, at least 9 US telecom companies were targeted by a China-backed threat actor, Salt Typhoon, including AT&T, Verizon, T-Mobile, and Viasat.
The FBI confirmed that the operation in total targeted 200 US organizations across 80 countries. Hackers accessed call records, wiretapping systems, and communications of US officials.
Updated on May 20th [12:00 p.m. GMT+2] with a statement from Deutsche Telekom.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked