Privacy

T-Mobile investigates yet another data breach, this one affecting 37 million accounts

The telecom giant has suffered major breaches in the past resulting in FCC investigation into its data security practices.

By Tonya Riley

January 19, 2023

People walk past the front of a T-Mobile retail store on August 18, 2021 in Arlington, Virginia. (Photo by Chip Somodevilla/Getty Images)

The telecom giant T-Mobile, which has suffered several massive data breaches in recent years, disclosed in a financial filing Thursday that the company is investigating another breach that impacted as many as 37 million users.

A malicious actor was able to gain access to an internal system allowing them to steal account information including names, billing addresses, emails, phone numbers, dates of birth and account numbers. The bad actor was not able to access Social Security numbers, driver’s licenses, passwords/PINs, or other financial information, according to the filing.

T-Mobile reported that its investigation into the breach is ongoing but “malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network.”

The bad actor appeared to first breach an application programming interface around Nov. 25, 2022, and T-Mobile discovered the intrusion on Jan. 5. The company states that it has notified federal agencies about the incident and is working with federal law enforcement.

The Federal Communications Commission told CyberScoop the agency is investigating the breach.

“Carriers have a unique responsibility to protect customer information. When they fail to do so, we will hold them accountable,” an FCC spokesperson wrote in an email. “This incident is the latest in a string of data breaches at the company, and the FCC is investigating.”

This is T-Mobile’s sixth major breach since 2018. T-Mobile suffered a breach of 50 million accounts in 2021, sparking an investigation by the FCC. The results of that investigation have not been made public, but it could lead to significant fines for the company.

The FCC announced earlier this month it is exploring a rulemaking process that would require telecom companies to report breaches to consumers immediately unless otherwise advised by authorities. Current rules require carriers to wait seven days to notify customers of a breach.

Update Jan. 19, 2023: To include comment from the FCC.

T-Mobile investigates yet another data breach, this one affecting 37 million accounts

More Like This

Campaigns and political parties are in the crosshairs of election meddlers

Stolen Change Healthcare data could contain information on ‘a substantial portion’ of Americans

FCC wants rules for ‘most important part of the internet you’ve probably never heard of’

Top Stories

CISA ransomware warning program has sent out more than 2,000 alerts

More Scoops

New FCC privacy task force takes aim at data breaches, SIM-swaps

FCC proposes stronger data breach rules, faster notifications for telecoms

American Airlines discloses data breach

Most top mobile carriers retain geolocation data for two years on average, FCC findings show

Twitter breach exposes anonymous accounts to nation state hackers

Privacy bill strips FCC oversight of telecom data abuse, worrying consumer advocates

Okta says 366 customers potentially affected in data breach

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics