Pierluigi Paganini January 20, 2023

Bad news for T-Mobile, the company disclosed a new data breach that resulted in the theft of data belonging to 37 customer accounts.

T-Mobile suffered a new data breach, threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts.

The telecommunications company discovered the intrusion on January 5, 2023, the attackers obtained data through a single Application Programming Interface (“API”) without authorization.

The company immediately launched an investigation into the security breach with external cybersecurity experts, it traced the source of the attack and stop it.

T-Mobile pointed out that security measures and policies in place prevented the compromise of the most sensitive types of customer information. According to the investigation, customer accounts and finances were not put at risk directly by the security breach.

Customer payment card information (PCI), social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information were not exposed because the abused API does not provide access to this information.

“No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.” reads the press release published by the company. “Some basic customer information (nearly all of which is the type widely available in marketing databases or directories) was obtained, including name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features.”

Compromised data include name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features.

“Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features.” reads the data breach notice issued by the company. “The preliminary result from our investigation indicates that the bad actor(s) obtained data from this API for approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set.”

While the investigation is still ongoing, T-Mobile is notifying customers who might have been impacted by the security incident.

The carrier suffered multiple data breaches in the last year, the last one in order of time took place in December 2021 when it discloses a data breach that impacted a “very small number of customers” who were victims of SIM swap attacks.

Below is the list of previous incidents suffered by T-Mobile:

• In August 2021, a security breach impacted 54 million customers.
• In February 2021, hundreds of users were hit with SIM swapping attacks.
• In December 2020, T-Mobile disclosed a data breach that exposed customers’ network information (CPNI).
• In March 2020, threat actors gained access to T-Mobile customers and employee personal info.
• In 2019, T-Mobile disclosed data breach affecting prepaid wireless customers.
• In 2018, data breach exposed personal information of up to 2 million customers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]