Magenta mobile operator T-Mobile has been left pink with embarrassment following a data breach affecting 37 million customers.
The self-styled ‘uncarrier’ late last week revealed a hacker exploited an application programming interface (API) to gain unauthorised access to customer information. Somewhat disconcerting is T-Mobile’s admission that it believes the hack commenced around 25 November, but the telco didn’t learn it was under attack until 5 January.
“We promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it,” the company said in an SEC filing on Thursday. “Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network.”
This time round, T-Mobile reckons about 37 million customers are affected. T-Mobile said the hack didn’t expose payment card information, social security, tax, driver’s licence or other government-issued ID numbers. Passwords, PINs, and other financial information are also still safely locked away.
However, the hack did compromise other information, including name, billing address, email, phone number, date of birth, and T-Mobile account number and information, such as the number of lines on the account and plan features.
So, while financial and ID information hasn’t been stolen, the data that has been taken is more than sufficient to expose customers to phishing attempts that could easily culminate in financial loss further down the line.
“We understand that an incident like this has an impact on our customers and regret that this occurred,” said T-Mobile, in a separate statement. “While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity programme.”
Until last week, the most recent attack came to light in August 2021, when the operator revealed that a hacker had accessed information pertaining to 7.8 million existing customers, and more than 40 million former and prospective customers. That figure was subsequently revised upwards to around 76.6 million. It later transpired that T-Mobile reportedly paid the hacker $200,000 via a third party to stop the data being sold on the dark Web; however, the data was sold anyway. Before all that, T-Mobile also disclosed hacks in 2018 and 2019, plus two more separate incidents in 2020.
In July last year, T-Mobile agreed to pay $500 million to settle class action lawsuits brought by those affected by the 2021 breach. The plaintiffs accused it of failing to adequately protect customers’ data. T-Mobile agreed to contribute $350 million to cover legal fees and compensation, and agreed to spend a further $150 million on making improvements to data security and related technology.
Judging by how regularly T-Mobile seems to be getting hacked, $150 million might not cover it.