Tens of millions of T-Mobile customers have had their personal information exposed in the company’s latest data breach.
T-Mobile detected suspicious activity on January 5, 2023, and says it contained the incident within a day. The company believes, however, that the attackers began extracting data as early as November 25, 2022.
Approximately 37 million postpaid and prepaid customers are affected. According to T-Mobile, the attackers exploited an application programming interface (API) to access and steal the information.
Compromised data is believed to include names, billing addresses, email addresses, and phone numbers. T-Mobile reports that financial details, account passwords, and social security numbers do not appear to have been exposed.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” the company said in a statement.
The U.S. Federal Communications Commission (FCC) has opened its own inquiry into the breach.
This incident revives concerns about T-Mobile’s security practices. The operator has experienced major breaches in the past, raising questions about how effectively it protects customer data.
In August 2021, T-Mobile disclosed a large breach that exposed highly sensitive customer information, including driver’s license numbers and social security numbers, affecting tens of millions of people.
“While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers,” said Neil Mack, senior analyst at Moody’s Investors Service.
Following the 2021 breach, T-Mobile agreed to a $350 million settlement in a class action lawsuit and committed to invest $150 million to strengthen the security of its systems.
Sam Curry, Chief Security Officer at Cybereason, emphasized that the core issue is protecting customer information. “Whether or not sensitive data and financial information were lost isn’t the point. Customer information is a privilege to hold, not a right,” he said. While it is positive that T-Mobile’s network was not directly compromised in this most recent incident, Curry warned that erosion of privacy makes it easier for criminals to exploit identities.
Curry added that T-Mobile appears to have acted swiftly in responding to the breach, but noted that the broader cybersecurity community is watching closely for the investigation’s findings. “Hackers are innovative, and companies with valuable data and services are always a target. It remains to be seen whether the 2023 compromises resemble those from 2021. Did the company learn from 2021? Was 2023 an isolated event, or part of a recurring pattern? Time and the facts will tell,” he said.
(Photo by Mika Baumeister on Unsplash)
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo, which takes place in Amsterdam, California, and London.
Explore other upcoming enterprise technology events and webinars powered by TechForge.