Telecom player T-Mobile US has suffered a cybersecurity incident that resulted in the exposure of the personal details of 37 million users, the company reported in a filing to the US Securities and Exchange Commission on Thursday.
Customer data such as customer name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features were exposed, the company revealed.
However, T-Mobile in a statement insisted that customer payment card information (PCI), social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs, or other financial account information were not exposed.
Data obtained through a single API
T-Mobile said it found that a bad actor had obtained data through a single application programming interface (API) without authorization on January 5. However, the company said the bad actor first retrieved data through the impacted API starting on or around November 25, 2022.
There was an investigation conducted by external cybersecurity experts and within a day of identifying the malicious activity, the source was traced, and the activity was stopped.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” T-Mobile said.
The company said it has notified certain federal agencies about the incident and is concurrently working with law enforcement. “Additionally, we have begun notifying customers whose information may have been obtained by the bad actor in accordance with applicable state and federal requirements,” it said.
T-Mobile said it may incur significant expenses in connection with this incident. However, it is still unable to predict the full impact of the incident on customer behavior in the future, “including whether a change in our customers’ behavior could negatively impact our results of operations on an ongoing basis, we presently do not expect that it will have a material effect on the company’s operations.”
In 2021, the telco commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance its cybersecurity capabilities and transform its approach to cybersecurity. “We have made substantial progress to date and protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cybersecurity program,” T-Mobile added.
Not the first security breach at T-Mobile
This is not the first major cybersecurity incident on T-Mobile. T-Mobile has suffered 7 more large breaches since 2018. In August 2018, the company said that 3% of its customer data was leaked. An attacker was exfiltrating personal data such as customer names, billing ZIP codes, phone numbers, email addresses, account numbers, and account types (prepaid or postpaid).
In 2019, November, the company disclosed that the account information of an undisclosed number of prepaid customers was accessed by an unauthorized third party. In March 2020, T-Mobile announced a data breach caused by an email vendor being hacked that exposed the personal and financial information of some of its customers. In the same year in December, the company suffered another breach that exposed customers’ proprietary network information (CPNI), including phone numbers and call records.
T-Mobile again disclosed a data breach after an unknown number of customers were affected by SIM swap attacks in February 2021. The telecommunications giant had warned that information including names, dates of birth, US Social Security numbers (SSNs), and driver’s license/ID of some 77 million individuals comprising current, former, or prospective customers had been exposed via a data breach in August 2021.
However, its ordeal didn’t end with this. In another incident in April 2022, Lapsus$, a hacker group, was able to gain access to the company’s internal tools, which gave them the chance to carry out SIM swaps.
Eventually, in July 2022, T-Mobile was forced to pay $350 million to customers affected by the August 2021 breach, as a part of a settlement, and agreed to invest $150 million to upgrade its cybersecurity through 2023.