T-Mobile confirms another data breach affecting 37 million customer accounts
T-Mobile, one of the largest wireless network operators in the United States, said on Thursday that it was investigating a data breach involving 37 million customer accounts.
In a disclosure notice filed to the U.S. Securities and Exchange Commission, the company explained the breach was discovered after it identified malicious activity on its networks on January 5.
A “bad actor was obtaining data through a single Application Programming Interface (‘API’) without authorization,” as the filing described the activity.
T-Mobile said that its security team alongside external cybersecurity experts “were able to trace the source of the malicious activity and stop it” within a day of identifying the access.
However the company acknowledged that the bad actor had been retrieving data from its system through the insecure API “starting on or around November 25, 2022.”
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” the statement added.
Although the company’s investigation has not found that customers’ financial data had been compromised, personally identifying details including names, addresses, emails and phone numbers were obtained through the API.
T-Mobile said it had begun notifying customers whose information may have been obtained.
In its filing to the securities regulator, the company warned: “We may incur significant expenses in connection with this incident.”
Its shares fell 2% in after-hours trading.
The breach comes after the company agreed last July to pay $350 million to a group of victims of a previous incident and commit an extra $150 million to security upgrades to settle a class-action lawsuit.
T-Mobile customers who wish to make a claim as part of that settlement must submit them before midnight Pacific Time on January 23, according to the settlement website.
That lawsuit was launched after the company confirmed that the personal data of 40 million customers (later revised to 76.6 million) had their personal data stolen and advertised for sale on a cybercrime forum.
In a statement sent to The Record at the time of the settlement, a T-Mobile spokesperson said the company had “doubled down” on its cybersecurity program over the last year, creating a Cybersecurity Transformation Office that reports directly to the CEO, conducting about 900,000 cybersecurity training courses for employees and partners, and collaborating with Mandiant, Accenture, and KPMG.