A “bad actor” stole personal information from approximately 37 million T-Mobile customers in a November data breach, the company said on Thursday.
In a filing with the U.S. Securities and Exchange Commission, T-Mobile said the hack was discovered on Jan. 5. The unidentified hacker (or hackers) obtained data starting around Nov. 25 through a single Application Programming Interface, the company said.
The malicious intruder accessed a “limited set of customer account data” – including names, addresses, emails, phone numbers and dates of birth.
T-Mobile said that, based on its investigation to date, “customer accounts and finances were not put at risk directly by this event.” No credit card information, passwords, Social Security numbers, government ID numbers or other financial account information was exposed in the breach, T-Mobile said.
Company job cuts:Google to lay off 12,000 employees, the latest tech giant to cut thousands of jobs
More:Amazon discontinues charity donation program that raised nearly $500 million as layoffs continue
After learning about the breach, T-Mobile said it “promptly commenced an investigation with external cybersecurity experts” and was “able to trace the source of the malicious activity and stop it” within a day.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” T-Mobile said in its Thursday filing.
The company added that it has notified law enforcement and federal agencies, which were not named in the filing.
Will T-Mobile notify customers impacted by the breach?
In a Thursday news release, T-Mobile said it was currently in the process of notifying customers who were impacted by the breach.
“We understand that an incident like this has an impact on our customers and regret that this occurred,” T-Mobile stated. “We plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.”
Database:40 million Americans’ health data is stolen or exposed each year. See if your provider has been breached.
Thursday’s filing noted that T-Mobile may “incur significant expenses” because of the hack. But the company said it did not expect the incident to have “material effect” on its operations.
History of T-Mobile breaches
November’s breach doesn’t mark the first time T-Mobile customers have had their data stolen.
In July, T-Mobile agreed to pay $350 million to settle a class action lawsuit after the company disclosed in August 2021 that personal data – including Social Security numbers and driver’s license information – had been stolen. More than 76 million U.S. residents were affected.
In the settlement, T-Mobile also said it would spend at least $150 million through 2022 and 2023 “for data security and related technology.”
Prior to August 2021, customer information was accessed in breaches that T-Mobile disclosed in January 2021, November 2019 and August 2018.
What’s everyone talking about? Sign up for our trending newsletter to get the latest news of the day
“While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers,” senior analyst for Moody’s Investors Service, Neil Mack, said in a statement sent to The Associated Press – noting that the latest breach raises questions about management’s cyber governance and could alienate customers, as well as attract scrutiny from regulators.
In Thursday’s filing, T-Mobile noted that it began a “substantial multi-year investment” to improve its cybersecurity in 2021.
Contributing: The Associated Press.