US telecommunication provider T-Mobile has been hit again in a data breach, this time involving 37 million customers. This is the eighth time T-Mobile has been hacked since 2018.
The telecom company said in a US SEC filing that the “bad actor” started stealing the data, which includes “name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features,” since November 25, 2022.
The company said in the filing that on January 5, T-Mobile US identified that a bad actor was obtaining data through a single application programming interface (API) without authorisation.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” the company wrote.
“The preliminary result from our investigation indicates that the bad actor(s) obtained data from this API for approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set,” the company admitted.
The impacted API was able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features.
Last year, T-Mobile agreed to pay $500 million to settle a class-action lawsuit in a 2021 data breach that impacted nearly 76.6 million users’ data in the US.
In August 2021, the company admitted its systems were hacked into, including social security numbers, names, addresses, and driver’s license information.