The nation’s second-largest wireless carrier on Thursday disclosed that a “bad actor” took advantage of one of its application programming interfaces to gain data on “approximately 37 million current postpaid and prepaid customer accounts.” CNET reports: In an 8K filing with the US Securities and Exchange Commission, the carrier says that it was able to trace and stop the “malicious activity” within a day of learning about it. T-Mobile also says that the API that was used does not allow for access to “any customer payment card information, Social Security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information.” According to the filing, the carrier believes that the breach first occurred “on or around” Nov. 25, 2022. The carrier didn’t learn that a “bad actor” was getting data from its systems until Jan. 5.
The company’s API, however, did reveal other user information, including names, billing addresses, email addresses, phone numbers and birth dates of its customers, their T-Mobile account numbers, and information on which plan features they have with the carrier and the number of lines on their accounts. The company said in the SEC filing that it has “begun notifying customers whose information may have been obtained by the bad actor in accordance with applicable state and federal requirements.” In 2021, T-Mobile suffered a data breach that exposed data of roughly 76.6 million people. “T-Mobile agreed to a $500 million settlement in the case in July, with $350 million going to settle customer claims from a class action lawsuit and $150 million going to upgrade its data protection system,” adds CNET.