Attack on T-Mobile US Data Hits 37 Million Users

T-Mobile US is investigating a cyberattack that compromised the personal data of 37 million customers. The company warned that it could be on the hook for significant expenses as a result.

In a filing with the Securities and Exchange Commission (SEC), T-Mobile stated it identified malicious activity on its systems on 5 January and it believed the attack began on or around 25 November 2022. The hacker was able to collect customer data by accessing an API without authorization, the company said.

T-Mobile claims it stopped the cyberattack within 24 hours of identifying the incident, stating no sensitive data relating to financial information, social security numbers, government identification, or payment cards had been compromised. Data obtained by the hacker includes users’ names, billing addresses, email, phone numbers, date of birth, T-Mobile account number, and information related to service and plan bundles.

In 2022 T-Mobile agreed to pay $350 million to settle a lawsuit related to a breach in 2021 involving more than 100 million customers. With the company facing another high-profile attack, T-Mobile said it may incur significant expenses, but added it did not currently expect the latest breach would have a material effect on its operations.