IOTW: Hackers steal the data of 37 million T-Mobile customers

T-Mobile, the Deutsche Telekom-owned mobile communications brand, has suffered a data breach that exposed the records of 37 million customers.

The breach was first discovered by T-Mobile on January 5 after the company noticed “unusual activity” on its American networks and was then reported to the general public on January 19. The company said that it believed the hacker had gained access to customer information “using a single Application Programming Interface (or API)”.

T-Mobile said the breach was shut down within 24 hours of detection.  It believes the hacker has been using the API to access customer data since November 2022, however, meaning a malicious actor was able to access the data of 37 million customers.  

According to T-Mobile, the data accessed reportedly includes “name, billing address, email, phone number, date of birth, account number and information such as the number of lines on the account and service plan features”. No sensitive information such as social security number, payment details or passwords were accessed in the breach. T-Mobile said the reason for this was the cyber security systems and policies it has in place “prevent[s] the most sensitive types of customer information from being accessed”.

Two class action lawsuits related to the breach have been filed with the US District Court for the Northern District of Florida and the US District Court for the Central District of California. Both lawsuits allege that T-Mobile failed to exercise reasonable care in protect customers’ private information.

This is the second large-scale data breach the company has suffered within two years, despite agreeing to invest US$150mn in its cyber security systems following the previous data breach in 2021.

August 2021: T-Mobile data breach

In August 2021, T-Mobile alerted its customers that it had been the victim of a cyber attack that had led to a data breach. Following an investigation into the attack, it was revealed that more than 76.6 million current and former customers’ information had been accessed during the breach.  

The information accessed included customers names, addresses, dates of birth, phone numbers, International Mobile Equipment Identity numbers and International Mobile Subscriber Identity numbers. Some customers also had sensitive information including their social security numbers and drivers license/ID information and T-Mobile account PINs compromised. T-Mobile alerted all those affected and reset the PIN information for the accounts that had this compromised in the attack.

To help combat ramifications from the cyber attack, T-Mobile created a dedicated webpage for information about the breach, as well as offering two years of free identity protection services, free scam-blocking protection and supplied additional best practice guides on what to do in the wake of the breach, including help on resetting passwords and PINs.  

The telecommunications company faced a class action lawsuit following the breach for allegedly failing to meet the obligations set out in its privacy policy and protecting its customers’ data. The company agreed to settle, paying $350mn to fund claims submitted by members of the class action lawsuit and agreeing to invest $150mn in its cyber security systems.