A hacker siphoned customer data from T-Mobile for more than a month.
In that time, the bad actor obtained data about 37 million customers, the firm reported in a Thursday (Jan. 19) filing with the Securities and Exchange Commission (SEC).
T-Mobile discovered Jan. 5 that a bad actor had been getting data via an application programming interface (API) since around Nov. 25. The firm was able to stop the data breach within a day of discovering it, according to the filing.
The company said in the filing that it believes the data obtained from the API includes name, billing address, email address, phone number, date of birth, T-Mobile account number and some details of their T-Mobile service plan.
The data did not include customer payment card information, social security numbers, tax ID numbers, driver’s license or other government ID numbers, passwords or PINs, or other financial account information, per the filing.
“Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances should not be put at risk directly by this event,” T-Mobile said in a Thursday press release. “There is also no evidence that the bad actor breached or compromised T-Mobile’s network or systems.”
The company said in the SEC filing that it may incur “significant” expenses related to the incident but does not expect a material effect on the company’s operations.
This data breach comes about two-and-a-half years after T-Mobile suffered another cybersecurity incident in which it was reported that sensitive information from 100 million of the company’s users was being sold on the dark web.
“As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity,” the firm said in the Thursday SEC filing. “We have made substantial progress to date, and protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cybersecurity program.”
Losses to internet crimes totaled a record $6.9 billion in 2021, up 7% from 2020, according to the FBI’s “2021 Internet Crimes Report” released in March 2022.