Not again. American mobile operator T-Mobile confirms customer data for 37 million users compromised by hacker
US mobile operator T-Mobile US is once again the headlines after confirming another theft of customer data.
In a filing with the US Securities and Exchange Commission, the operator admitted that on 25 November, unidentified malicious intruder breached its network via a single Application Programming Interface (API) and stole data on 37 million customers, including billing addresses, phone numbers, email, dates of birth and T-Mobile account numbers.
T-Mobile said it had discovered the theft on 5 January, but noted that the data exposed to theft by the API did not include passwords or PINs, bank account or credit card information, Social Security numbers, passports or other government IDs.
“We promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it,” said the operator.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” it said.
“We are continuing to diligently investigate the unauthorised activity,” it said. “In addition, we have notified certain federal agencies about the incident, and we are concurrently working with law enforcement.”
It also said that it has begun notifying customers whose information may have been obtained by the bad actor in accordance with applicable state and federal requirements.
T-Mobile noted that since 2021 it has “commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity,” and has made “substantial progress to date” and “will continue to make substantial investments to strengthen our cybersecurity program.”
But it warned the firm “may incur significant expenses in connection with this incident.”
This will almost certainly be true, as this is not the first time that T-Mobile has been compromised.
In August 2021 it confirmed that had suffered “unauthorised access” to its systems after customer data appeared for sale on forum, said to be related to 80 million people obtained from T-Mobile servers.
In July 2022, T-Mobile agreed to pay $350 million to customers who filed a class action lawsuit and it agreed to spend an additional $150 million to upgrade data security.
Besides this latest breach and the August 2021 intrusion, T-Mobile has also disclosed breaches in January 2021, November 2019 and August 2018 in which customer information was accessed.
All of these breaches raises questions about its cyber governance, and could alienate customers and attract scrutiny by the Federal Communications Commission and other regulators.
Indeed, the Wall Street Journal has reported that the US Federal Communications Commission (FCC) has opened an investigation into the company’s latest data breach incident.
T-Mobile, based in Bellevue, Washington, became one of the largest mobile operators in 2020 when it finally closed its $26 billion acquisition of rival Sprint, in a deal that took years to complete.
The merger, which almost took place in 2014, was revealed in April 2018, but faced significant regulatory scrutiny over concerns it would reduce competition, and result in higher prices for consumers.
The combined entity now has more than 102 million customers, making it the third-largest wireless carrier in the United States.