Starting off January on a not-so-good foot, T-Mobile announced another data breach this week, this time affecting around 37 million customer accounts. Unlike other data breaches, where customer data is sometimes preserved, this time that is not the case. In this data breach, T-Mobile details that data including names, billing addresses, emails, phone numbers, date of birth, account numbers, and information such as the number of lines on an account and service plan features were accessed.
T-Mobile tries to make it sound not so bad by adding that most of this data is already “widely available” via marketing directories and databases. Importantly, the carrier does specifically say that, “No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.”
We are currently in the process of informing impacted customers that after a thorough investigation we have determined that a bad actor used a single Application Programming Interface (or API) to obtain limited types of information on their accounts.
As soon as our teams identified the issue, we shut it down within 24 hours. Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances should not be put at risk directly by this event. There is also no evidence that the bad actor breached or compromised T-Mobile’s network or systems.
For a bit of a timeline, T-Mobile mentions that as soon as the activity was noticed, it was shut down within 24 hours. However, not written in its press release, but filed with the SEC, T-Mobile says that it believes the “bad actor” first started retrieving data via the impacted API in November of last year.
In the last piece of the SEC filing, T-Mobile says that it expects this news to not have a material effect on its operations. In simple terms, they don’t expect customers to be all too upset and take their business elsewhere.