T-Mobile has admitted that hackers were able to steal the information of around 37 million postpaid and prepaid customers in another major data breach. The carrier said in a regulatory filing that it discovered the issue on January 5th, but that it believes the bad actors had been taking data from the company since November 25th. In a post announcing the breach, T-Mobile revealed that the hackers used an API to steal customer information.
While the company was able to contain the issue 24 hours after discovering the malicious activity, the bad actors have had access to its data long enough to have stolen people's names, billing addresses, emails, phone numbers and birthdays. They were also able to obtain users' account numbers and information about their plans, such as the number of lines they have. T-Mobile said, however, that it didn't find evidence that its network or systems had been breached or compromised. "No passwords, payment card information, social security numbers, government ID numbers or other financial account information" were stolen, the company said.
The carrier is still investigating the incident to get a more detailed view of what happened, but it has already warned investors that it would likely incur significant costs due to the incident. According to The Wall Street Journal, the Federal Communications Commission has also opened an investigation into T-Mobile, because as a spokesperson told the publication, "this incident is the latest in a string of data breaches at the company."
If you'll recall, the carrier confirmed in August 2021 that tens of millions of customers had been impacted by a data breach that exposed their sensitive information, including their social security numbers and driver's licenses. T-Mobile CEO Mike Sievert said back then that the hacker used "specialized" tools and knowledge of its infrastructure in order to gain access to its testing environment. While the initial number of affected customers for that breach was around 30 million, it ultimately ballooned to 76.6 million customers.
Almost a year later, the carrier agreed to pay $350 million to settle a consolidated class action lawsuit and pledged to spend $150 million to update its data security technologies. As The New York Times reports, the company said it has "made substantial progress to date" on those updates, but it clearly wasn't enough to prevent this incident. In its announcement, though, T-Mobile vowed to continue making "substantial, multi-year investments in strengthening [its] cybersecurity program."