Mobile telecommunication company T-Mobile US, Inc. on Thursday disclosed a data breach that compromised approximately 37 million current postpaid and prepaid customer accounts via one of its Application Programming Interface (API) without authorization.
For those unaware, an API is a type of software interface that allows two applications to communicate with each other using a set of definitions and protocols.
In a filing with the U.S. Securities and Exchange Commission (SEC) on Thursday, T-Mobile said that it believes that the attacker first retrieved data through the impacted API starting on or around November 25, 2022.
However, the company was able to discover the data breach only on January 5, 2023. Within a day of learning of the malicious activity, T-Mobile promptly commenced an investigation with external cybersecurity experts and was able to identify the source of the malicious activity and put a stop to it within 24 hours.
The company said its systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances were not put at risk directly by the data breach.
Further, the API abused by the bad actor did not allow the attacker to get access to any customer payment card information (PCI), social security numbers/tax IDs, driver’s license, or other government ID numbers, passwords/PINs, or other financial account information.
“Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features,” T-Mobile said in the SEC filing.
“The preliminary result from our investigation indicates that the bad actor(s) obtained data from this API for approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set.”
In a separate press release, it elaborated on the data stolen in the attack as “some basic customer information”, which includes name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features.
The company is continuing to diligently investigate the unauthorized activity and has reported the incident to certain U.S. federal agencies. It is also concurrently working with law enforcement to investigate the breach.
Additionally, it has started notifying customers whose information may have been obtained by the bad actor.
While the investigation is still ongoing, T-Mobile has stated that there is no evidence that the bad actor breached or compromised its network or systems and all the malicious activity appears to be totally contained.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” the mobile carrier said in the press release.
The company did not reveal in its SEC filing or press release exactly what kind of API flaw was exploited by the bad actors. It, however, did mention in the SEC filing that T-Mobile may incur significant expenses in connection with this incident.
This is the 8th data breach that T-Mobile has suffered since 2018. In July 2022, the mobile carrier agreed to pay $350 million to settle a consolidated class action lawsuit related to a 2021 data breach that exposed information of more than 76 million people. It had also pledged an extra $150 million to security upgrades.
