T-Mobile reports bad actor accessed 37M customer records

In a new 8-K report submitted to the Securities and Exchange Commission (SEC), T-Mobile acknowledged a bad actor accessed 37 million T-Mobile customer records via an API flaw.

T-Mobile first discovered the incident on January 5, 2023 and then submitted the 8-K report to the SEC on January 19, 2023 with details on the ongoing investigation:

We promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it. Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network.”

The investigation revealed the bad actor was not able to gain access to the “full data set” of customer data, such as “customer payment card information (PCI), social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information.”

However, the exposed Application Programming Interface (API) did allow unauthorized access to a “limited set” of customer account data, such as name, billing address, email, phone number, date of birth, T-Mobile account number, and other account/plan details.

Moreover, T-Mobile added the actor likely first stole the data through the impacted API back on or around November 25, 2022.

The mobile telecom company continues to investigate the unauthorized activity and has contacted federal agencies about the incident. The firm is also working with law enforcement and have begun notifying customers about the incident.

In July of 2022, T-Mobile had agreed to pay $350 million and invest another $150 million in data security improvements to settle litigation over the 2021 data breach that impacted over 76 million T-Mobile customers.

Related Articles