T-Mobile announced that hackers accessed data on 37 million of its customers, in a Thursday filing with the Securities and Exchange Commission. The massive security breach impacts both prepaid and postpaid customer accounts, and is the second notable hack in less than two years. The company said it is in the process of notifying those affected.
The (sort of) good news: T-Mobile has claimed that sensitive financial customer info like credit card and social security numbers were not part of the hack. Instead, the bad actors were only able to collect account data like names, billing addresses, emails, phone numbers, birth dates, and phone line specifics, according to the company. Still though, that’s a lot of data for cybercriminals to get a hold of, and T-Mobile customers should be aware that their personal information could be out there.
Hackers were reportedly able to access the data through a single Application Programming Interface (API), a software that allows multiple computer programs to communicate with one another. The bad actors broke into T-Mobile’s API without authorization.
The telecom provider said it first detected the hack on January 5, and shut down the malicious activity less than a day later, with the help of external cybersecurity support. However, by that point, the breach had been going on for over a month. The company noted that it believes hackers first got into the impacted API around November 25, 2022.
“The malicious activity appears to be fully contained at this time,” the company wrote in the Thursday filing, but added that it was continuing to investigate what happened.
This most recent hack is far from the only one T-Mobile and its customers have had to deal with in recent years. In August 2021, the company admitted to an even larger breach concerning at least 48 million customers (though a subsequent class action suit alleged 76 million and hackers claimed the number was closer to 100 million). Previously, T-Mobile also suffered data breaches in 2020, 2019, 2018, and 2015.
The 2021 security failure resulted in T-Mobile paying out a $500 million settlement. $350 million of that money went to affected customers, while the remaining $150 million was designated for boosting the company’s digital security.
“In 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity,” the company noted in this week’s breach disclosure. “We have made substantial progress to date, and protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cybersecurity program,” it added.