T-Mobile suffers its second biggest data breach impacting 37 million users

t mobile Logo 2019 AM AH 2

Data breaches are becoming an all-too-common occurrence, as we rely more and more on online services in our everyday lives. Unfortunately, some companies are more affected than others. T-Mobile is one such company, as it recently sustained another major data breach just two years after its last one.

Hackers obtain customer data through API exploit

On January 5th, T-Mobile announced it was investigating a data breach that had occurred on its servers. Hackers had exploited an API to gain access to the servers and were able to steal the user data of 37 million people, including names, physical addresses, emails, phone numbers, and dates of birth.

T-Mobile stated it had traced the source of the malicious activity and fixed the API exploit within a day of the detection. The company also clarified that the API used by the hacker did not allow access to data that contained any social security numbers, credit card information, government ID numbers, passwords, PINs, or financial information. T-Mobile is currently notifying affected customers and conducting an ongoing investigation to ensure that it fully contains the malicious activity.


T-Mobile’s response to the data breach

In a press release announcing the breach, T-Mobile omitted the fact that the breach impacted 37 million accounts and that it had gone undetected for over a month. Instead, the company stated that they had “shut it down within 24 hours” as soon as their teams identified the issue.

It’s not the first time T-Mobile has suffered a data breach. In fact, the company has disclosed eight hacks since 2018, including previous breaches that exposed customer call records, credit application data, and an “unknown actor” accessing customer information and executing SIM-swapping attacks. It is concerning that the company seems to have learned very little from its previous data breaches.

“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time. There is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” the company stated in a filing.