T-Mobile believes the hacker had been stealing data since last November, while the US FCC is investigating the company for a ‘string of data breaches’.
T-Mobile is investigating a recent data breach that has impacted roughly 37m current postpaid and prepaid accounts.
The company said it detected unusual activity on 5 January when a bad actor used an API to obtain the data. T-Mobile said it was able to trace the source of the activity and stop it “within a day”.
The company said the data that was stolen includes account holder names, billing addresses, emails, phone numbers, dates of birth and account numbers.
T-Mobile said the 37m figure comes from the “preliminary result” of its investigation and said many of these accounts “did not include the full data set”.
Based on the investigation, T-Mobile said the cyberattacker did not obtain more sensitive data, such as credit card numbers and passwords.
The mobile company believes the bad actor had been stealing data from the API since roughly 25 November 2022. T-Mobile said it has begun informing affected customers and is working with law enforcement to investigate the data breach.
A US Federal Communications Commission spokesperson told the Wall Street Journal that it is investigating T-Mobile, as this is the latest in a “string of data breaches at the company”.
The company said it may incur “significant costs” as a result of the data breach.
In 2021, T-Mobile said the personal data of almost 50m customers was compromised in a cyberattack. This followed a breach in 2019, when the company said a hacker infiltrated its systems and obtained the personal data of more than a million US customers.
In 2018, the company claimed hackers from an “international group” stole customer personal data, in a breach that impacted around 3pc the company’s 77m customers.
Ivan Novikov, CEO of API security company Wallarm, said organisations need to understand the “unique challenges that come with protecting APIs” and take necessary measures to mitigate the risk of similar breaches.
“As organizations continue to accelerate their digital transformation efforts and leverage more and more APIs, it’s crucial that they have the right tools and expertise in place to protect their sensitive data,” Novikov said.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.