T-Mobile is at it again. The second largest wireless carrier has suffered yet another data breach, this time exposing the personal information of roughly 37 million current postpaid and prepaid customer accounts.
On Thursday, T-Mobile confirmed in an 8k filing with the US Securities and Exchange Commission(SEC) that it could detect, trace and stop what they called a malicious activity that interfered with one of its programming interfaces within 24 hours of detection.
The malicious activity is fully contained, but the investigation is ongoing.
According to the carrier, the single Application Programming Interface (API) used only allowed access to limited personal information of customers, including names, birth dates, phone numbers, billing and email addresses, T-Mobile account numbers, plan features, and number lines linked to their accounts.
However, the company’s API did not reveal payment card information, passwords, government ID numbers, tax ID, social security numbers, PINs, or any other customer financial information.
According to the SEC filing, the first breach occurred on or around November 25, 2022, and it wasn’t until January 5, 2023, that the carrier detected the ‘bad actor.’ The company reiterated that there is currently no evidence of a breach or compromise to its systems or network by the bad actor. However, they are working with federal agencies and law enforcement.
In line with state and federal requirements, the carrier is in the process of informing affected customers whose account information may have been compromised by the bad actor.
In a press release dated January 19, 2023, T-Mobile stated its regrets for this malicious activity and how it must have impacted its customers while also trying to justify that the breached data, including some basic customer information, is “widely available in marketing databases or directories.”
T-Mobile stated that no highly sensitive financial data or passwords were accessed, and the Single Application Programming Interface obtained only limited information. Therefore, customer accounts and finances should be safe as this incident created no direct risk.
This latest data breach is the fifth disclosed breach, and it occurred days before the end of a $500 million settlement phase from one of the largest and most consequential data breaches in US history that hit the company in 2021.
The data breach exposed sensitive information from an estimated 76.6 million customers, including their Social Security numbers, customer names, phone numbers, date of birth, and addresses. T-Mobile agreed to settle the class action lawsuit filed by customers paying them $350 million and using $150 million to upgrade its data protection.
The company acknowledged this in a press release stating, “While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.”
As of this day, it is unclear what direction this breach will take, but T-Mobile says it “may incur significant expenses in connection with this data breach incident.”
