T-Mobile reports another hack, this one impacting 37M accounts

The “un-carrier” reported another data breach on Thursday that involved an estimated 37 million prepaid and postpaid customers.

In a Securities and Exchange Commission (SEC) filing Thursday, T-Mobile said that on January 5, 2023, it had identified a “bad actor” that was obtaining data through a single Application Programming Interface (API). It was able to trace the source of the malicious activity within a day of learning of it. It appears the hacker first retrieved data through the impacted API starting on or around November 25, 2022.

“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time,” the company stated in the filing, adding that there’s no evidence T-Mobile’s systems or network were hacked. “We will continue to make substantial investments to strengthen our cybersecurity program.”

No customer payment card information, social security numbers, driver’s license or financial account information were exposed. However, name, billing address, email, phone number, date of birth and T-Mobile account numbers were uncovered.

In a press release, T-Mobile said it understands that an incident like this has an impact on customers and it regrets it. “While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program,” the company stated.

Why all the hacks?

After a well-publicized attack in 2021, T-Mobile CEO Mike Sievert issued an apology and said T-Mobile had entered into long-term partnerships with cybersecurity experts at Mandiant and consulting firm KPMG.

But the frequency of the data breaches is setting off alarm bells. The Verge counted eight hacks disclosed since 2018, with previous breaches exposing customer call records and credit application data.

Neil Mack, senior analyst at Moody’s Investors Service, said the frequency of data breaches at T-Mobile is alarming relative to telecom peers. It isn’t clear if different disclosure procedures across telecom operators plays a role in this, but “the frequency of disclosures at T-Mobile appear to be an outlier,” he told Fierce.

“Given the intense competitive environment in the wireless industry, the possibility of competitors such as Verizon and AT&T using T-Mobile’s data breaches in their own marketing to gain share is a likely concern for the company,” Mack said.   

Global Data analyst Tammy Parker said it’s astonishing that this latest cyber breach was announced just days before a January 23 deadline in a class action lawsuit for people to submit a claim for reimbursement. That lawsuit stemmed from the massive 2021 data breach.

“I believe T-Mobile felt it had improved its security after the 2021 data breach, and it must be stunned that a breach of this magnitude has occurred again,” Parker told Fierce. “T-Mobile’s checkered history of data breaches makes it an especially appealing target because its vulnerabilities have been repeatedly exposed.”

The hacks don’t appear to be affecting T-Mobile’s growth – earlier this month, it reported 927,000 postpaid phone net adds for Q4 2022 – likely because consumers are getting used to hearing about these kinds of data incursions in general, she said.

But they certainly don’t help T-Mobile as it tries to build a reputation as a trusted partner for business and government entities, with the latest situation likely to come up during negotiations with potential customers, she said.

556 Ventures analyst William Ho said data breaches seem to happen across industries, but the fact that T-Mobile has been on the receiving end so many times raises questions about their approach. Now would be a good time to address how its partnerships with Mandiant and KPMG are shoring up its IT infrastructure.

“These breaches are troubling for T-Mobile’s efforts to get into the enterprise sector where security is top of mind,” Ho said. “As the business segment is seen as a growth area, their sales force will have to reassure those customers that it won’t happen again. Competitors haven’t touted their own security as a marketing contrast though since that may elevate their own exposure.”

Anshel Sag, analyst at Moor Insights & Strategy, said he doesn’t think T-Mobile’s systems are any less secure than AT&T’s and Verizon’s, especially as so many different business customers who closely vet their cellular partners are also their customers.

“The reality is that consumers have become numb to data breaches, and I think this one will be forgotten just as the next one will be. API security is a major issue and a new attack vector as companies look to shore up the common causes of past breaches,” Sag said.

Ultimately, one of the biggest problems with security and data breaches is that many of these things are costs that can't be recouped by the company with the consumer, he said. “It needs to be wound into the cost of IT or operations and as we all know, many companies have underfunded IT for many years which brought us waves of breaches,” he said.