• T-Mobile US has admitted to being hacked
• Details relating to 37 million customers were stolen 
• The hacker was plundering the operator’s database for more than a month
• It had previously suffered an even bigger breach in mid-2021

Not for the first time, T-Mobile US has been forced to admit that its IT systems have been hacked and the personal details of customers accessed. This time, the operator noted in a filing with the SEC, data related to 37 million subscribers was accessed by “a bad actor” between late November 2022 and early January this year. 

The operator tried to play down the severity of the incident by noting that the “malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network.” In addition, it even boasts that “our systems and policies prevented the most sensitive types of customer information from being accessed and, as a result, based on our investigation to date, customer accounts and finances were not put at risk directly by this event,” as the API (application programming interface) via which the hacker gained access “does not provide access to any customer payment card information (PCI), social security numbers/tax IDs, driver’s licence or other government ID numbers, passwords/PINs or other financial account information, so none of this information was exposed.”

However, it noted that the hacker first started stealing customer data as long ago as 25 November and it was only after the cybersecurity breach was discovered on 5 January that the “malicious activity” was curtailed. 

What the hacker did manage to steal was “customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information, such as the number of lines on the account and plan features.”

This would be bad enough by itself, but it comes not too long after the operator’s previous major hacking incident.

In August 2021, the operator admitted that the details of about 54 million customers had been accessed by hackers. It was sued by customers and, in July last year, announced it had agreed to pay $350m to settle the case. 

T-Mobile noted in its most recent SEC filing that following that 2021 incident, “we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity. We have made substantial progress to date, and protecting our customers’ data remains a top priority.”

Clearly the work done so far has not been enough and now the operator is bracing itself for another class action lawsuit. “We may incur significant expenses in connection with this incident,” it notes in its filing. 

- Ray Le Maistre, Editorial Director, TelecomTV