T-Mobile was a part of a location data scandal last year in which a website allowed anyone to track the location of any phone, and now it looks like another location data issue has popped up in 2019.

A new report from Motherboard details how T-Mobile, Sprint, and AT&T are selling access to customer location data. Specifically in the case of T-Mobile, a bounty hunter was paid $300 and was able to get the a screenshot of the Google Maps location of a T-Mobile customer’s phone, including its approximate longitude and latitude, and a location accuracy range of around 500 meters.

The bounty hunter used a tool that utilizes real-time location data that originates from T-Mobile, AT&T, and Sprint and is sold from one party to another, eventually ending up in the hands on people like this bounty hunter. In this case, the customer location data originated from T-Mobile and was shared with an aggregator named Zumigo that then sells that info to a company called Microbilt. The report notes that when posing as a bail bondsman customer, Microbilt offered location data pricing as low as $4.95 per device and that real-time updates on a phone’s location could cost around $12.95.

In its documentation, Microbilt suggested that its location service worked on all carriers, but the middleman that Motherboard worked with was not able or not willing to perform a search for a Verizon phone.

When contacted about this situation, Zumigo confirmed that it had given location data to Microbilt, but it said that “illegal access to data is an unfortunate occurrence across virtually every industry that deals in consumer or employee data” and added that it tries to protect privacy by adding in a measure of distance between half a mile and one mile from an actual address.

Meanwhile, Microbilt said that it requires anyone using its services to get consent of the consumer and that it was “unaware that its terms of use were being violated by the rogue individual that submitted the request under false pretenses,” which is the request in this Motherboard report. Microbilt says that it after learning of the incident, it terminated the customer’s access to its products.

But what about the carriers themselves? T-Mobile said that it takes the privacy of its customers “very seriously”. “While T-Mobile does not have a direct relationship with Microbilt, our vendor Zumigo was working with them and has confirmed with us that they have already shut down all transmission of T-Mobile data,” the carrier added. “T-Mobile has also blocked access to device location data for any request submitted by Zumigo on behalf of Microbilt as an additional precaution.”

AT&T said that it cut access to Microbilt while it looks into the situation and Sprint stated that while it doesn’t have a relationship with Microbilt, it will “take appropriate action” if it determines that any of its customers do work with Microbilt and have violated the terms of their contract with Sprint.

This news is pretty frustrating, as T-Mobile CEO John Legere said last year that T-Mo would “not sell customer location data to shady middlemen”. This latest situation is a little different than the one from last year that allowed anyone to see the location of a phone by entering some simple data, but the fact that someone was able to pay a few hundred bucks to get the location of a cellphone is disconcerting. And while Microbilt may be losing its access to location data from the carriers, who knows when or if we might see this situation pop up again from another location aggregator.

You can read the full report on this matter at the link below.

Source: Motherboard