The third largest wireless carrier in the United States told federal regulators Thursday it found a threat actor siphoning the identifying information of 37 million customers.
T-Mobile, the name assumed by the company that emerged after the 2020 merger of telecoms Sprint and T-Mobile US, minimized the breach’s impact in a filing with the Securities and Exchange Commission. No payment card, government identifiers or passwords are part of the breach, said the company. The Bellevue, Washington telecom has more than 110 million customers.
It fingered an application programming interface that exposed data including names, emails, phone numbers and dates of birth as the source of the breach. Hackers did not obtain a full data set of every one of the 37 million individuals affected, it added. Prepaid and subscription customers are affected; hackers also obtained data including the number of lines on the account and service plan features.
Hackers had access to the API for approximately six weeks until company personnel spotted and shut down outside access to the interface on Jan. 5. A separate press release says the time from incident detection to resolution was less than 24 hours.
Although not as damaging as leaked financial accounts, leaked data such as phone numbers and email addresses can still pose threats to consumers, especially if bad actors know that the information is recent and so likely to be valid. Risk of phishing and identity theft attempts typically rise in the wake of data breaches even if cyberthieves lack information such as passwords.
