Weeks before the Superbowl, T-Mobile was hit with another cyber attack. In an SEC filing, the company confirmed a cybersecurity incident that resulted in the exposure of the personal details of 37 million users, including names, billing addresses, emails, phone numbers, dates of birth, T-Mobile account numbers and information describing the kind of service they have with the wireless carrier. While T-Mobile said no social security numbers, credit card information, government ID numbers, passwords, PINs or financial information were exposed, the information stolen can be used by scammers to steal people’s identities.
T-Mobile said it found that a bad actor had obtained data through a single application programming interface (API) without authorization. The investigation found the attacker started taking advantage of the API around Thanksgiving, but it was not discovered until January 5. Upon discovering the hack, they hired external cybersecurity experts to investigate, traced the source, and stopped the activity. T-Mobile says it continues to investigate the breach but believes it is “fully contained,” noting their systems and network do not appear to have been hacked.
T-Mobile has suffered 7 more large breaches in the last five years:
- August 2018: T-Mobile said that 3% of its customer data was leaked, including customer names, billing ZIP codes, phone numbers, email addresses, account numbers, and account types (prepaid or postpaid).
- November 2019: T-Mobile disclosed the account information of an undisclosed number of prepaid customers was accessed by an unauthorized third party.
- March 2020: T-Mobile announced a data breach caused by an email vendor being hacked that exposed the personal and financial information of some of its customers.
- December 2020: T-Mobile suffered another breach that exposed customers’ proprietary network information (CPNI), including phone numbers and call records.
- February 2021: T-Mobile disclosed a data breach after an unknown number of customers were affected by SIM swap attacks.
- August 2021: T-Mobile warned that the names, dates of birth, US Social Security numbers (SSNs), and driver’s license/ID of about 77 million individuals comprising current, former, or prospective customers had been exposed via a data breach.
- April 2022: Hacker group Lapsus$ accessed the company’s internal tools to carry out SIM swaps.
- July 2022: T-Mobile was forced to pay $350 million to customers affected by the August 2021 breach, and as a part of a settlement agreed to invest $150 million to upgrade its cybersecurity through 2023.
- November 2022: T-Mobile’s hacked API exposed the personal details of 37 million users, including names, billing addresses, emails, phone numbers, dates of birth, T-Mobile account numbers and information describing the kind of service they have with the wireless carrier.