T-Mobile said Thursday that a hacker had collected data, including names, dates of birth and phone numbers, from 37 million customer accounts, the company’s second major breach in less than two years.
In a securities filing, T-Mobile said it first discovered that a “bad actor” was getting the data on Jan. 5. With the help of outside cybersecurity experts, the mobile service provider stopped the leak the next day, he said.
The company said there was no evidence that its systems or its network had been compromised, adding that the mechanism the hacker exploited did not provide access to more sensitive information, such as social security numbers, government identification numbers, passwords. or payment card information.
“We understand that an incident like this has an impact on our customers and we are sorry that this occurred,” T-Mobile said in a statement.
The information exposed included names, email and billing addresses, phone numbers, dates of birth, T-Mobile account numbers, and information such as account lines and plan features. Many of the accounts did not include all that data. The company said it has begun notifying some of the affected customers in accordance with state and federal requirements.
T-Mobile said it was continuing to investigate the exposure and had notified federal authorities. The company said it believed the hacker began recovering data on November 25 through an application programming interface, common code that allows software to communicate with other software.
A 2021 hack exposed data from nearly 77 million T-Mobile customer accounts, including names, social security numbers, and driver’s license information. As a result, the company agreed to pay $350 million to resolve customer complaints and spend $150 million to improve its cybersecurity practices and technologies.
In Thursday’s filing, T-Mobile said it had “made substantial progress to date” on those updates. He also acknowledged that he could face “significant costs” for the latest violation.
