T-Mobile said Thursday a hacker collected data, including names, dates of birth and phone numbers, from 37 million customer accounts, the company’s second major breach in less than two years.
In a securities filing, T-Mobile said it first discovered on Jan. 5 that a “bad actor” got its hands on the data. With help from outside cybersecurity experts, the mobile service provider stopped the leak the next day, it said.
The company said there was no evidence that its systems or network had been compromised, adding that the mechanism used by the hacker did not allow access to more sensitive information such as social security numbers, government identification numbers or passwords or payment card information.
“We understand that an incident like this has an impact on our customers and we regret that it happened,” T-Mobile said in a statement.
The information exposed included names, billing and email addresses, phone numbers, dates of birth, T-Mobile account numbers, and information such as the rules on an account and subscription features. Many of the accounts don’t contain all that data. The company said it has begun notifying some of the affected customers in accordance with state and federal requirements.
T-Mobile said it continued to investigate the exposure and notified federal authorities. The company said it believes the hacker first began retrieving data on Nov. 25 through an application programming interface, a plain piece of code that allows software to communicate with other software.
A 2021 cyberattack exposed data from nearly 77 million T-Mobile customer accounts, including names, social security numbers and driver’s license information. As a result, the company agreed to pay both $350 million to settle customer claims and spend $150 million to improve its cybersecurity practices and technologies.
In Thursday’s filing, T-Mobile said it had “made substantial progress to date” on those upgrades. It also acknowledged that it could face “significant costs” as a result of the latest breach.
