BOSTON (AP) — U.S. wireless carrier T-Mobile said Thursday that an unidentified malicious intruder broke into its network in late November and stole data from 37 million customers, including addresses, phone numbers and dates of birth.
What you need to know
- T-Mobile said the data exposed to theft – based on the investigation to date – does not include passwords or PINs, bank account or credit card information, social security numbers or other government IDs
- The company has been hacked several times in recent years
- In July, T-Mobile agreed to pay $350 million to customers who filed a class action lawsuit after the company disclosed in August 2021 that personal information, including social security numbers and driver’s license information, had been stolen
- It also said at the time that it would spend $150 million through 2023 to strengthen its data security and other technologies
T-Mobile said in a filing with the US Securities and Exchange Commission that the breach was discovered Jan. 5. It said the data exposed to theft — based on the investigation to date — did not include any passwords or PINs, bank account or credit card information, social security numbers or other government IDs.
“Our investigation is ongoing, but the malicious activity appears to be fully contained at this time,” T-Mobile said, with no evidence that the intruder was able to breach the company’s network. It said data was first accessed on or about Nov. 25.
T-Mobile said it notified law enforcement and federal agencies, which it did not name. It did not immediately respond to an email asking for comment.
The company has been hacked several times in recent years. In its filing, T-Mobile said it did not expect the latest breach to have a material impact on its business. But a senior analyst for Moody’s Investors Service, Neil Mack, said in a statement that the breach raises questions about management’s cyber governance and could alienate customers and draw attention from the Federal Communications Commission and other regulators.
“While these cybersecurity breaches may not be systematic in nature, their frequency at T-Mobile is an alarming outlier compared to telecom peers,” said Mack.
In July, T-Mobile agreed to pay $350 million to customers who filed a class action lawsuit after the company disclosed in August 2021 that personal information, including social security numbers and driver’s license information, had been stolen. Nearly 80 million US residents were affected.
It also said at the time that it would spend $150 million through 2023 to strengthen its data security and other technologies.
Prior to the August 2021 breach, the company disclosed breaches involving access to customer data in January 2021, November 2019, and August 2018.
Based in Bellevue, Washington, T-Mobile became one of the country’s largest mobile phone providers in 2020 after acquiring rival Sprint. It reported having more than 102 million customers after the merger.