In the latest T-Mobile hack, 37 million customers have personal data stolen, the company says

A “bad actor” stole personal information from approximately 37 million T-Mobile customers in a November data breach, the company said on Thursday.

In a filing with the U.S. Securities and Exchange Commission, T-Mobile said the hack was discovered on Jan. 5. The unidentified hacker (or hackers) obtained data starting around Nov. 25 through a single Application Programming Interface, the company said.

The malicious intruder accessed a “limited set of customer account data” — including names, addresses, emails, phone numbers, and dates of birth.

T-Mobile said that, based on its investigation to date, “customer accounts and finances were not put at risk directly by this event.” No credit card information, passwords, Social Security numbers, government ID numbers, or other financial account information was exposed in the breach, T-Mobile said.

After learning about the breach, T-Mobile said it “promptly commenced an investigation with external cybersecurity experts” and was “able to trace the source of the malicious activity and stop it” within a day.

“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” T-Mobile said in its Thursday filing.

The company added that it has notified law enforcement and federal agencies, which were not named in the filing.

Will T-Mobile notify customers impacted by the breach?

In a Thursday news release, T-Mobile said it was currently in the process of notifying customers who were impacted by the breach.

“We understand that an incident like this has an impact on our customers and regret that this occurred,” T-Mobile stated. “We plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.”

Thursday’s filing noted that T-Mobile may “incur significant expenses” because of the hack. But the company said it did not expect the incident to have a “material effect” on its operations.

History of T-Mobile breaches

November’s breach doesn’t mark the first time T-Mobile customers have had their data stolen.

In July, T-Mobile agreed to pay $350 million to settle a class action lawsuit after the company disclosed in August 2021 that personal data — including Social Security numbers and driver’s license information — had been stolen. More than 76 million U.S. residents were affected.

In the settlement, T-Mobile also said it would spend at least $150 million through 2022 and 2023 “for data security and related technology.”

Prior to August 2021, customer information was accessed in breaches that T-Mobile disclosed in January 2021, November 2019, and August 2018.

“While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers,” senior analyst for Moody’s Investors Service, Neil Mack, said in a statement sent to The Associated Press — noting that the latest breach raises questions about management’s cyber governance and could alienate customers, as well as attract scrutiny from regulators.

In Thursday’s filing, T-Mobile noted that it began a “substantial multi-year investment” to improve its cybersecurity in 2021.