Big data breach exposes 37 million T-Mobile user accounts

This is the mobile company’s eighth data breach in five years.

The latest data breach at T-Mobile has exposed customer information such as name, billing address, email, phone number, date of birth, T-Mobile account number and data such as the number of lines on the account and plan features.

The breach was discovered on January 5, 2023, when the company discovered that a bad actor was obtaining data through a single Application Programming Interface (API) without authorization. But after investigation, the company believes that the bad actor first retrieved data through the affected API on or around November 25, 2022. 

“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” T-Mobile said

FCC investigation

Even though some personal data was jeopardized, T-Mobile claimed in a statement that no passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised. 

“No information was obtained for impacted customers that would compromise the safety of customer accounts or finances,” the company said.

“As soon as our teams identified the issue, we shut it down within 24 hours. Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances should not be put at risk directly by this event. There is also no evidence that the bad actor breached or compromised T-Mobile’s network or systems.”

The US Federal Communications Commission (FCC) has opened an investigation into the incident.

SIM swap attacks

This is the company’s second-largest known data breach. In August 2021, the data of around 50 million users was exposed, including customer names, dates of birth, US Social Security numbers, and driver’s license/ID. The company has also been affected by SIM swap attacks.

Later in July 2022 and as part of the settlement over the major breach in August 2021, the company was forced to pay $350m to customers who were affected. T-Mobile also agreed to invest $150m to upgrade its cybersecurity through 2023.

Today, T-Mobile has over 110 million customers.

T-Mobile’s seven other data breaches

  • August 2018: 3% of its customer data was leaked by an attacker exfiltrating data such as customer names, billing ZIP codes, phone numbers, email addresses, account numbers, and account types.
  • November 2019: an unauthorized third party accessed the account information of an undisclosed number of prepaid customers. 
  • March 2020: an email vendor was hacked and exposed the personal and financial information of some of its customers.
  • December 2020: a breach that exposed customers’ proprietary network information (CPNI), including phone numbers and call records.
  • February 2021: a data breach where an unknown number of customers were affected by SIM swap attacks.
  • August 2021: the data of around 50 million users was exposed, including names, dates of birth, US Social Security numbers, and driver’s license/ID.
  • April 2022: the hacker group Lapsus$ gained access to the company’s internal tools, and was then able to carry out SIM swap attacks.