T-Mobile data breach affects 37M customers

T-Mobile Thursday disclosed a data breach that affected approximately 37 million customer accounts.

The mobile carrier said in a notification on its website that a "bad actor" used a single API to obtain personal data from customer accounts. According to the notification, there is no evidence that the threat actor breached or compromised T-Mobile's network or systems.

"No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised," T-Mobile said in its notification. "Some basic customer information (nearly all of which is the type widely available in marketing databases or directories) was obtained, including name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features."

T-Mobile said the breach should not put customer accounts and finances directly at risk. However, the personally identifiable information the threat actor obtained could be used for phishing and social engineering attacks on customers.

The mobile carrier, which is owned by telecom giant Deutsche Telekom AG, disclosed additional details about the breach in an 8-K filing Thursday, such as the impact on 37 million current postpaid and prepaid customer accounts.

The filing said T-Mobile first identified the malicious activity on Jan. 5 when it discovered that "a bad actor was obtaining data through a single Application Programming Interface ('API') without authorization." However, T-Mobile said an investigation conducted with third-party cybersecurity experts indicated the threat actor began obtaining data from the affected API on or around Nov. 25, 2022.

It's unclear whether the customer data was exposed to the public through the API or the threat actor used an exploit to bypass authorization requirements and access the data. TechTarget Editorial contacted T-Mobile for clarification on the matter, but the company has not responded at press time.

T-Mobile also said in its notification that within 24 hours of discovering the malicious activity, it identified the source and stopped it. The mobile carrier did not say what the source was or how it initially discovered the malicious activity. According to the 8-K filing, the investigation is ongoing, and T-Mobile "may incur significant expenses in connection with this incident."

Thursday's disclosure marks the latest incident for the carrier, which has suffered other high-profile cyber attacks recently. Last year, T-Mobile was breached by hackers associated with the Lapsus$ extortion group, who accessed the company's internal systems and stole source code. In 2021, T-Mobile discovered a threat actor had gained access to the company's testing network, obtained employee credentials and moved laterally to a database containing data for more than 40 million customer accounts.