T-Mobile said on Thursday that a hacker harvested data including names, dates of birth and phone numbers from 37 million customer accounts, the second major attack on the company in less than two years. Data breach incident.
In a securities filing, T-Mobile said it first discovered on Jan. 5 that “bad actors” were obtaining data. With the help of outside cybersecurity experts, the mobile service provider stopped the leak the next day.
The company said it had no evidence its systems or networks were compromised, adding that the mechanisms exploited by the hackers did not provide access to more sensitive information such as Social Security numbers, government identification numbers, passwords or payment card information.
“We understand that incidents like this have an impact on our customers and regret that this happened,” T-Mobile said in a statement.
Exposed information included names, billing and email addresses, phone numbers, dates of birth, T-Mobile account numbers, and account line and plan features, among other information. Many accounts do not contain all of this data. The company said it has begun notifying some affected customers in accordance with state and federal requirements.
T-Mobile said it is continuing to investigate the exposure and has notified federal authorities. The company said it believed hackers first began retrieving the data on Nov. 25 through an application programming interface, a common code that allows software to communicate with other software.
A 2021 cyberattack exposed data on nearly 77 million T-Mobile customer accounts, including names, Social Security numbers and driver’s license information. As a result, the company agreed to pay $350 million to resolve customer claims and spend $150 million to bolster its cybersecurity practices and technology.
In Thursday’s filing, T-Mobile said it has “made substantial progress to date” on these upgrades. It also acknowledged that it could face “significant costs” as a result of the latest breach.