T-Mobile Suffers Another Data Breach, Affecting 37 Million Accounts

Angela Lang/CNET

T-Mobile has been hit by another data breach. The nation’s second-largest wireless carrier on Thursday disclosed that a “bad actor” took advantage of one of its application programming interfaces to gain data on “approximately 37 million current postpaid and prepaid customer accounts.”

In an 8K filing with the US Securities and Exchange Commission, the carrier says that it was able to trace and stop the “malicious activity” within a day of learning about it. T-Mobile also says that the API that was used does not allow for access to “any customer payment card information, Social Security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information.” 

According to the filing, the carrier believes that the breach first occurred “on or around” Nov. 25, 2022. The carrier didn’t learn that a “bad actor” was getting data from its systems until Jan. 5. 

The company’s API, however, did reveal other user information, including names, billing addresses, email addresses, phone numbers and birth dates of its customers, their T-Mobile account numbers, and information on which plan features they have with the carrier and the number of lines on their accounts. 

In its SEC filing, the company said that in line with state and federal requirements, it’s started notifying customers whose information may’ve been obtained during the breach.

In an accompanying press release, T-Mobile seemingly tried to downplay the type of data that was revealed in the breach by noting that some of this type of “basic customer information” is “widely available in marketing databases or directories.” 

The carrier reiterated that no passwords or financial data had been exposed and that there was “also no evidence that the bad actor breached or compromised T-Mobile’s network or systems.” 

The news of the latest data breach comes as the carrier is in the final days of the settlement phase from a 2021 cyberattack that exposed the data of roughly 76.6 million people. T-Mobile agreed to a $500 million settlement in the case in July, with $350 million going to settle customer claims from a class action lawsuit and $150 million going to upgrade its data protection system. 

The deadline for filing a claim from that data breach is Jan. 23. 

It is unclear what might happen as a result of this newest breach. In the 8K filing the carrier says that it will “continue to make substantial investments to strengthen our cybersecurity program,” but notes that it also “may incur significant expenses in connection with this incident.”