T-Mobile investigates yet another data breach, this one affecting 37 million accounts

The telecom giant has suffered major breaches in the past resulting in FCC investigation into its data security practices.
People walk past the front of a T-Mobile retail store on August 18, 2021 in Arlington, Virginia. (Photo by Chip Somodevilla/Getty Images)

The telecom giant T-Mobile, which has suffered several massive data breaches in recent years, disclosed in a financial filing Thursday that the company is investigating another breach that impacted as many as 37 million users.

A malicious actor was able to gain access to an internal system allowing them to steal account information including names, billing addresses, emails, phone numbers, dates of birth and account numbers. The bad actor was not able to access Social Security numbers, driver’s licenses, passwords/PINs, or other financial information, according to the filing.

T-Mobile reported that its investigation into the breach is ongoing but “malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network.”

The bad actor appeared to first breach an application programming interface around Nov. 25, 2022, and T-Mobile discovered the intrusion on Jan. 5. The company states that it has notified federal agencies about the incident and is working with federal law enforcement.


The Federal Communications Commission told CyberScoop the agency is investigating the breach.

“Carriers have a unique responsibility to protect customer information. When they fail to do so, we will hold them accountable,” an FCC spokesperson wrote in an email. “This incident is the latest in a string of data breaches at the company, and the FCC is investigating.”

This is T-Mobile’s sixth major breach since 2018. T-Mobile suffered a breach of 50 million accounts in 2021, sparking an investigation by the FCC. The results of that investigation have not been made public, but it could lead to significant fines for the company.

The FCC announced earlier this month it is exploring a rulemaking process that would require telecom companies to report breaches to consumers immediately unless otherwise advised by authorities. Current rules require carriers to wait seven days to notify customers of a breach.

Update Jan. 19, 2023: To include comment from the FCC.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts