T-Mobile on Thursday said it’s been hit by another data breach, this time impacting approximately 37 million customers. The wireless carrier said a bad actor obtained basic customer information — like names, account numbers and billing addresses — but did not access any sensitive customer information such as government ID numbers or payment card information.
According to a disclosure document T-Mobile filed with the US Securities and Exchange Commission, the company believes the bad actor first gained access to customer information around Nov. 25, 2022. T-Mobile discovered the breach on Jan. 5, 2023. Within 24 hours, the company traced the source of malicious activity and stopped it.
The hacker used a single Application Programming Interface (API) to gain access to T-Mobile data. The company is still investigating the breach but said the malicious activity appears to be fully contained.
The breach hit postpaid and prepaid customer accounts. According to T-Mobile, no passwords, payment card information, Social Security numbers, government ID numbers or other financial account information was compromised. The hacker did gain access to basic data like customer names, billing addresses, emails, phone numbers, dates of birth, account numbers, and information such as the number of lines on the account and service plan features.
So far, there’s no evidence that the bad actor was able to breach or compromise T-Mobile’s systems or its network.
T-Mobile is currently in the process of informing customers about the incident and is working with law enforcement to investigate the incident.
T-Mobile has been hit by a number of data breaches in recent years. The company will soon pay $350 million to settle customer claims from a class action lawsuit stemming from a data breach. The company is also in the middle of a major, multi-year cybersecurity overhaul.
“We have made substantial progress to date, and protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cybersecurity program,” the company said in its SEC filing Thursday.