Another large T-Mobile breach – 37 million customers impacted

T-Mobile has started 2023 by uncovering a serious data breach they believe started around the end of November. Incredibly, just a few months ago in June 2022 T-Mobile paid $500 million to settle a class-action lawsuit against them regarding a data breach in 2021. Now they have been rocked by another massive breach.

The August 2021 breach exposed the personal data of at least 76.6 million subscribers. This breach is also significant with the personal data of around 37 million customers affected.

How the T-Mobile breach happened

The malicious actor breached T-Mobile by abusing an API (Application Programming Interface). An API is a software interface that lets a product or service “communicate” with other products and services. APIs open up access to resources like apps or services—and this is what the malicious actor abused and leveraged in the T-Mobile attack.

T-Mobile has not shared how their API was exploited.

What data has been compromised

In the filing with the Security and Exchange Commission (SEC), T-Mobile says the malicious actor gained access to the following:

  • Customer names
  • Billing addresses
  • Email addresses
  • Phone numbers
  • Dates of birth
  • T-Mobile account numbers

While no passwords, SSNs, or government ID numbers were exposed in the breach, the compromised information can still be used in conjunction with publicly available information, or information that’s already been stolen and is up in the dark web. Scammers can use this data to steal identities or commit fraud.

Consequences for T-Mobile

The U.S Federal Communications Commission (FCC) have opened an investigation into the T-Mobile breach.

According to an FCC spokesperson, “Carriers have a unique responsibility to protect customer information. When they fail to do so, we will hold them accountable. This incident is the latest in a string of data breaches at the company, and the FCC is investigating.”

This latest breach in the company’s history has caused some experts to question T-Mobile’s statement on implementing extensive cybersecurity measures, which they made after the 2021 breach.

Takeaways from the T-Mobile breach

For T-Mobile it’s a difficult road ahead as they attempt to navigate the impact of the breach both financially from penalties and lawsuits as well as from customers walking due to lost trust. The cost of prevention is showing to far out way the cost of inaction.

While we mainly see big companies in the news headlines, enterprises aren’t the only people being breached. We are seeing small and medium business effected just as much if not more, as many hackers opt for targets that won’t put them in the headlines and the cross-hairs of law enforcement.

Interested in learning more about cybersecurity? Talk with our team.