Incident & Breach Response , Security Operations
T-Mobile Says Hackers Stole Data of 37 Million CustomersUnauthorized Party Obtained Access to Company API for Approximately 6 Weeks
The third-largest wireless carrier in the United States told federal regulators Thursday that it found a threat actor siphoning the identifying information of 37 million customers.
T-Mobile, the name assumed by the company that emerged after the 2020 merger of telecoms Sprint and T-Mobile US, minimized the breach's impact in a filing with the Securities and Exchange Commission. No payment card, government identifiers or passwords are part of the breach, said the company. The Bellevue, Washington telecom has more than 110 million customers.
It fingered an application programming interface that exposed data including names, emails, phone numbers and birthdates as the source of the breach. Hackers did not obtain a full data set of every one of the 37 million individuals affected, it added. Prepaid and subscription customers are affected; hackers also obtained data including the number of lines on the account and service plan features.
Hackers had access to the API for approximately six weeks until company personnel spotted and shut down outside access to the interface on Jan. 5. A separate press release says the time from incident detection to resolution was less than 24 hours.
Although not as damaging as leaked financial accounts, leaked data such as phone numbers and email addresses can still pose threats to consumers, especially if bad actors know that the information is recent and therefore likely to be valid. The risk of phishing and identity theft attempts typically rises in the wake of data breaches even if cyberthieves lack information such as passwords.
The carrier only months ago entered into a $350 million settlement stemming from a 2021 breach of personal data affecting 77 million customers. As part of the settlement, the company pledged to spend at least an additional $150 million to improve its cybersecurity.
Thursday's regulatory filing says the company began in 2021 a "substantial multi-year investment" into cybersecurity and asserts the company has "made substantial progress to date."
Still, the incident may end up costing the company a significant amount in expenses, T-Mobile said.