T-Mobile subjected to yet another data hack

T-Mobile was the target of yet another data breach. This time, it reportedly affected only about 800 people, but some news organizations are pointing out that it’s the ninth hack since 2018.

In a letter to customers first spotted by Bleeping Computer, T-Mobile apologized and said personal financial account information and call records were not affected. Information obtained through the hack varied, but could include name, contact information, account number, T-Mobile account PIN, social security number, government ID, date of birth and more.

“We notified a small number of customers that our systems and processes worked to detect and stop a bad actor who was accessing accounts using stolen credentials,” T-Mobile said in a statement provided to Fierce. “No personal financial account information or call records were included. We take these issues seriously and have taken steps to proactively protect the impacted customer accounts and to help prevent recurrence. We are continuing to expand the safeguards we have in place.”

The intrusion, which started on February 24 and lasted until March 30, affected 836 customers, according to Ars Technica, which cited a notification on the website of Maine Attorney General Aaron Frey. T-Mobile did not confirm the exact number of customers affected when responding to Fierce's inquiry. 

In the letter obtained by Bleeping Computer, T-Mobile said it had proactively reset affected customers’ PINs and it’s offering two years of free credit monitoring and identity theft detection services to them.

T-Mobile recommended these customers review their account information and update their PIN to a new one of their choosing. It’s also encouraging them to use features that T-Mobile offers, like Scam Shield and Account Takeover Protection.

Lots of 'bad actors'

In January, T-Mobile reported a data breach that affected about 37 million prepaid and postpaid customers. In a Securities and Exchange Commission (SEC) filing, T-Mobile said that a “bad actor” had obtained data through a single Application Programming Interface (API).  

In a more recent quarterly SEC filing, T-Mobile acknowledged that it has become subject to numerous lawsuits as a result of an August 2021 cyber attack. It’s also still awaiting a ruling from a court about a $350 million settlement related to that incident, and it has committed to spending $150 million for data security and related technology in 2022 and 2023.

The April 27 SEC filing doesn’t mention the latest attack but notes that T-Mobile became subject to consumer class actions and regulatory inquiries as a result of the January 2023 cyber attack, to which it will respond “in due course” and may be subject to additional legal proceedings and claims.