T-Mobile Says Hacker Stole Data From 37 Million Accounts

T-Mobile confirmed Thursday that an unidentified malicious intruder breached its network in late November and stole data on 37 million customers, according to a regulatory filing.

In a filing with the U.S. Securities and Exchange Commission, T-Mobile said that the data breach was found on Jan. 5, adding that data exposed to the theft did not include critical information such as PINs, bank account numbers, credit card information, Social Security numbers, or government identification numbers. Instead, addresses, phone numbers, and dates of birth were accessed, the filing said.

“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time,” T-Mobile said, adding that the data was first accessed around Nov. 25 but wasn’t discovered for weeks later.

The firm added that it hired a cybersecurity company to investigate the breach. It’s also working with law enforcement and will notify customers if their information was leaked, according to the filing.

The Epoch Times has contacted the company for comment. In a statement to Fox News, T-Mobile said that when the breach was found, it was “shut down” within a day.

“As soon as our teams identified the issue, we shut it down within 24 hours. Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances should not be put at risk directly by this event,” the statement said. “There is also no evidence that the bad actor breached or compromised T-Mobile’s network or systems.”

With the announcement, it means the company has been hacked multiple times in recent years. In its filing, T-Mobile said it did not expect the latest breach to have material impact on its operations.

But a senior analyst for Moody’s Investors Service, Neil Mack, said in a statement that the breach raises questions about management’s cyber governance and could alienate customers and attract scrutiny by the Federal Communications Commission and other regulators.

“While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers,” Mack said.

Prior to the August 2021 intrusion, the company disclosed breaches in January 2021, November 2019 and August 2018 in which customer information was accessed.

Since 2018, the firm has been hacked at least eight times, according to Techcrunch. The most recent one occurred in 2022 when a hacking collective known as Lapsus$ gained access to the company’s internal systems and allowed them to take over victims’ phone numbers in what is known as a SIM swap.

In July, T-Mobile agreed to pay $350 million to customers who filed a class action lawsuit after the company disclosed in August 2021 that personal data including Social Security numbers and driver’s license info had been stolen. Nearly 80 million U.S. residents were affected by the breach.

T-Mobile said Thursday that after the latest breach, it began a “substantial multi-year investment” to improve its cybersecurity two years ago. “Protecting our customers’ data remains a top priority,” the company said. “We will continue to make substantial investments to strengthen our cybersecurity program.”

T-Mobile, based in Washington state, became one of the United States’ largest cellphone service carriers in 2020 after buying rival Sprint. It reported having more than 102 million customers after the merger.

The Associated Press contributed to this report.