T-Mobile said on Thursday that a hacker had collected data, including names, birth dates and phone numbers, from 37 million customer accounts, the company’s second major breach in less than two years.
In a securities filing, T-Mobile said it first discovered that a “bad actor” was obtaining the data on Jan. 5. With help from outside cybersecurity experts, the mobile service provider stopped the leak the next day, it said.
The company said there was no evidence that its systems or network had been compromised, adding that the mechanism the hacker exploited did not provide access to more sensitive information such as Social Security numbers, government identification numbers, or passwords or payment card information.
“We understand that an incident like this has an impact on our customers and regret that this occurred,” T-Mobile said in a statement.
The exposed information included names, billing and email addresses, phone numbers, birth dates, T-Mobile account numbers, and information such as the lines on an account and plan features. Many of the accounts did not include all of that data. The company said it has started to notify some of the affected customers in accordance with state and federal requirements.
T-Mobile said it was continuing to investigate the exposure and had notified the federal authorities. The company said it believed that the hacker first started retrieving data on Nov. 25 through an application programming interface, a common bit of code that allows software to communicate with other software.
A cyberattack in 2021 exposed data from nearly 77 million T-Mobile customer accounts, including names, Social Security numbers and driver’s license information. As a result, the company agreed both to pay $350 million to settle customer claims and to spend $150 million to enhance its cybersecurity practices and technologies.
In Thursday’s filing, T-Mobile said it had “made substantial progress to date” on those upgrades. It also acknowledged that it could face “significant expenses” from the latest breach.