“Deep enough” would be true of any mobile carrier, to date all of these attacks are SIM swapping, with social engineering/phishing being the attack vector. Not particularly deep.
Attackers would have to social engineer the MVNO directly, which is certainly easier if they have data they’ve stolen from t-mobile first, but this isn’t a “they’ll get in no matter what because they’ve pwned T-Mobile so bad” scenario.
This article says that Google Fi customers were SIM swapped due to a T-Mobile breach. Even though "[t]here was no access to Google's systems or any systems overseen by Google."
> These attacks are conducted using social engineering, where the threat actor impersonates the customer and requests that the number be ported to a new device for some reason. To convince the mobile carrier that they are the customer, they provide personal information exposed to phishing attacks and data breaches.
> As the Google Fi data breach includes phone numbers, which can easily be linked to a customer's name, and the serial number of SIM cards, it would have made it even more convincing when contacting a mobile customer support representative.
They used the data in the breach to social engineer the Google fi reps. Attackers still needed to get through Google’s customer support system to perform the SIM swaps.
Attackers would have to social engineer the MVNO directly, which is certainly easier if they have data they’ve stolen from t-mobile first, but this isn’t a “they’ll get in no matter what because they’ve pwned T-Mobile so bad” scenario.