T-Mobile TMUS -0.52% US Inc. said hackers accessed data, including dates of birth and billing addresses, of about 37 million of its customers, the second major breach at the wireless company in two years.
The company said in a regulatory filing Thursday that it discovered the issue on Jan. 5 and is working with law enforcement officials and cybersecurity advisors. T-Mobile said it believes the hackers had access to its data since November 25, but have since been able to stop the malicious activity.
The wireless carrier said it is currently notifying affected customers and believes the most sensitive types of records — such as credit card numbers, social security numbers and account passwords — have not been compromised. T-Mobile has more than 110 million customers.
The company said its preliminary investigation indicates data on about 37 million current postpaid and prepaid customer accounts was disclosed. The company said hackers may have obtained names, billing addresses, email addresses, phone numbers, dates of birth and bank account numbers. Information such as the number of lines in the account and plan features could also have been retrieved, the company said.
“Some basic customer information (almost all of which is widely available in marketing databases or directories) was obtained,” T-Mobile said in a statement. “No passwords, payment card information, social security numbers, government ID numbers, or other financial account information were compromised.”
The company said its systems were not breached, but someone illegitimately obtained data through an API, or application programming interface, that may provide some customer information. The company said it ceased activity within 24 hours of discovery.
The company’s investigation into the incident is ongoing. T-Mobile warned there could be significant costs related to the incident, but said it is not expecting any material impact on the company’s operations at this time. The company is expected to report fourth-quarter results on February 1.
T-Mobile admitted a security breach last year after offering the personal information of more than 50 million of its current, former and potential customers for sale online. T-Mobile later increased its estimate and said about 76.6 million US citizens had some records disclosed.
A 21-year-old American living in Turkey claimed the 2021 break-in and said the company’s security practices paved an easy way for the theft of the data, including social security numbers, dates of birth and phone-specific identifiers. T-Mobile’s CEO later apologized for the outage and said the company would improve its data security.
T-Mobile proposed paying $350 million to settle a class-action lawsuit related to the 2021 hack. As part of the settlement, the company also pledged to spend $150 million on security technology in 2022 and this year.
Write to Will Feuer at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8