T-Mobile investigates yet another data breach, this one affecting 37 million accounts
The telecom giant T-Mobile, which has suffered several massive data breaches in recent years, disclosed in a financial filing Thursday that the company is investigating another breach that impacted as many as 37 million users.
A malicious actor was able to gain access to an internal system allowing them to steal account information including names, billing addresses, emails, phone numbers, dates of birth and account numbers. The bad actor was not able to access Social Security numbers, driver’s licenses, passwords/PINs, or other financial information, according to the filing.
T-Mobile reported that its investigation into the breach is ongoing but “malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network.”
The bad actor appeared to first breach an application programming interface around Nov. 25, 2022, and T-Mobile discovered the intrusion on Jan. 5. The company states that it has notified federal agencies about the incident and is working with federal law enforcement.
The Federal Communications Commission told CyberScoop the agency is investigating the breach.
“Carriers have a unique responsibility to protect customer information. When they fail to do so, we will hold them accountable,” an FCC spokesperson wrote in an email. “This incident is the latest in a string of data breaches at the company, and the FCC is investigating.”
This is T-Mobile’s sixth major breach since 2018. T-Mobile suffered a breach of 50 million accounts in 2021, sparking an investigation by the FCC. The results of that investigation have not been made public, but it could lead to significant fines for the company.
The FCC announced earlier this month it is exploring a rulemaking process that would require telecom companies to report breaches to consumers immediately unless otherwise advised by authorities. Current rules require carriers to wait seven days to notify customers of a breach.
Update Jan. 19, 2023: To include comment from the FCC.