Facepalm: Another day, another data breach. This time, wireless provider T-Mobile has disclosed a data breach involving millions of postpaid and prepaid customer accounts. Here's what we know at this hour.
In a Form 8-K filing with the US Securities and Exchange Commission, T-Mobile said it identified a bad actor obtaining data through a single API without authorization on January 5, 2023. Within a day of detection, the carrier was able to track down the source of the activity and put a stop to it.
It is believed that the bad actor first obtained data through the impacted API on or around November 25, 2022. The investigation is ongoing, we're told, but the malicious activity appears to be fully contained at this time.
The breach exposed some customer information including name, billing address, e-mail address, phone number, date of birth, account number and information relating to service plan features and the number of lines on an account. According to T-Mobile, nearly all of this type of data is widely available in marketing databases or directories.
T-Mobile said no passwords, social security numbers, government ID numbers, passwords or other financial data was compromised.
Approximately 37 million active postpaid and prepaid customer accounts were impacted.
T-Mobile said it is working with law enforcement on the issue and has notified the appropriate federal agencies. The carrier has also started notifying impacted customers and warned that it might incur significant expenses in connection with the incident.
According to The Wall Street Journal, the Federal Communications Commission has opened an investigation into the matter. "This incident is the latest in a string of data breaches at the company, and the FCC is investigating," an FCC spokesperson told the publication. Per TechCrunch, this is the eighth time T-Mobile has been hacked since 2018.
Last summer, T-Mobile suffered an even larger data breach involving nearly 77 million people and agreed to pay $350 million to settle a class action lawsuit over the matter. The company also vowed to spend another $150 million on additional data security and related tech in 2022 and 2023.