Syed Imran Haider 
T-Mobile has announced the company’s other significant data breach within two years. The hacker obtained customer names, birth dates, phone numbers, email IDs, and billing addresses via an internal API.
Based in Washington, T-Mobile is among US largest cellphone service carriers. It became prominent after purchasing rival Sprint and reported over 102 million active customers after the merger.
The US telecom giant admitted the attacker could hack customer data from 37 million accounts. The company disclosed in a regulatory filing last week that it believed the hacker first used its APIs around 25 November 2022 to obtain customer data.
Detection of the Data BreachÂ
According to T-Mobile, the company noticed nasty activity earlier this month when the hacker had accessed the broken API for more than thirty days. It drew the source of the hack and rectified the API exploit within 24 hours of the detection.
The US telecom says the hacker used the API that did not give access to data that comprised any credit card information, security numbers, government Identity Numbers, PINs, passwords, and financial data. T-Mobile has also begun sending its customers notifications about whose data may have been stolen.
According to a public press release about the data breach, the latest data breach influenced 37 million accounts. The company omitted these accounts and never knew that the data breach had gone unnoticed for more than a month.
T-Mobile’s statement exposed that it had shut the API down within a day as soon as its team had discovered the hacking problem. The company has begun notifying customers whose personal data the hacker may have retrieved in the data breach.
The regulatory filing by T-Mobile acknowledges that the company has begun the investigation, but this time, the malicious movement looks fully contained. It did not find evidence that the attacker could compromise or breach T-Mobile’s systems or network.
Eight Data Breach Incidences Since 2018Â
T-Mobile has revealed eight data breaches in less than five years. The previous hacks included a data breach that came in January 2021 and exposed customer call records. Another data breach in August 2021 disclosed credit application data, whereas a mysterious individual accessed customer information and implemented SIM-swapping attacks six months after the second attack.
Lapsus$, the hacking group, shopped online for employees’ credentials to obtain T-Mobile’s source code in April 2022. In late November last year, an unknown malicious intruder attacked its network and stole 37 million customers’ data, including their date of birth, phone numbers, and billing addresses.
T-Mobile has notified federal law enforcement agencies. It says it did not expect the latest data breach could have a material impact on its regular operations. Neil Mack, the analyst for Moody’s Investor Service, said data breach attempts raise questions about management’s cyber governance and require Federal Communications Commissions and other regulators to perform scrutiny.
Although these data breaches at T-Mobile may not be systematic, the frequency of these occurrences is an alarming outlier to telecom customers. The cellphone carrier paid $350 million to customers who took legal action against the company, followed by the cybersecurity attack in August 2021. T-Mobile will pay $150 million in 2023 to strengthen its data security and other technologies.
