T-Mobile US has revealed it was hit earlier this month been bit by a serious data breach by a “bad actor” who used an API (Application Programming Interface) to raid 37 million accounts for customer data.
The hacker scooped up customer names, billing addresses emails, phone numbers, date of birth, account numbers, the number of lines on the account and service plan features.
The network says it shut down the affected system, within 24 hours and that no passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.
“ Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances should not be put at risk directly by this event. There is also no evidence that the bad actor breached or compromised T-Mobile’s network or systems” a statement said.
“While no information was obtained for impacted customers that would compromise the safety of customer accounts or finances, we want to be transparent with our customers and ensure they are aware. We understand that an incident like this has an impact on our customers and regret that this occurred. While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.
T-Mobile said it was the victim of a data breach, but added that the “most sensitive types of data” were not breached. The network operator said it found data was obtained through a single application programming interface earlier in January, though it believes the breach to have first occurred in November.
“The breach did not put social security numbers, driver’s licenses, other government ID numbers or passwords and PINs at risk. Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features,” it said.
Sam Curry, the chief security officer at Boston cyber security company Cybereason, said;
“What is or isn’t sensitive is an important question to ask. Whether or not sensitive data and financial information were lost isn’t the point. Customer information is a privilege to hold, not a right; and while it’s great that T-Mobile’s network wasn’t compromised in this instance, and that outright theft wasn’t enabled through loss of direct billing numbers, eroding privacy and making it easier for hackers to compromise identities is still important and sensitive.
“It appears that T-Mobile moved quickly. While the details aren’t yet known, the world is paying attention for the results of this investigation. Hackers are innovative, and companies with valuable data and services are always a target, but it remains to be seen if the compromises in 2023 are similar to the ones suffered by T-Mobile in 2021. Did the company learn from 2021? Was 2023 unique? Was this a case this time around if anyone can fail occasionally or is it worse than that? Only time and the facts will tell us and tell T-Mobile and fellow practitioners what the new lessons to be learned are.”
