BY Richard Summerfield
US mobile phone operator T-Mobile has suffered a data breach affecting 37 million customers - the company’s fifth such incident since 2018.
In a Securities and Exchange Commission (SEC) filing, the company noted that it “promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it”. The company has launched an investigation into the breach, but explained that “the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network”.
According to T-Moble, the breach saw a bad actor use a single application programming interface (or API) to obtain limited types of information on customer accounts. T-Mobile said the hack did not expose payment card information, social security, tax, driver’s licence or other government-issued ID numbers. Passwords, PINs and other financial information is also believed to be safe, however the hack did compromise other information, including name, billing address, email, phone number, date of birth, and T-Mobile account number and information, such as the number of lines on the account and plan features.
The breach appears to have occurred in late November 2022, but T-Mobile did not become aware of the attack until 5 January.
“We understand that an incident like this has an impact on our customers and regret that this occurred,” the company said in a statement. “While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.”
T-Mobile has suffered a number of damaging cyber attacks in recent years. Before the most recent breach came to light, in August 2021 the company noted that a hacker had accessed information pertaining to 7.8 million existing customers, and more than 40 million former and prospective customers, including social security numbers and driving licence details. That figure was subsequently revised upwards to around 76.6 million. T-Mobile is reported to have paid the hacker $200,000 via a third party to stop the data being sold on the dark web, but it was reportedly sold anyway.
The company also disclosed hacks in 2018 and 2019 and two other separate incidents in 2020.
Furthermore, in July 2022, the company agreed to pay $500m to settle class action lawsuits brought by those affected by the 2021 breach. The plaintiffs accused T-Mobile of failing to adequately protect customers’ data. As part of a settlement related to the breach, T-Mobile agreed to contribute $350m to cover legal fees and compensation, and to spend a further $150m on making improvements to data security and related technology.
News: T-Mobile’s $150 Million Security Plan Isn’t Cutting It