37 Million T-Mobile API Data On Customers Stolen in Hack

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Jan 20, 2023 07:06 am PST

Following a network intrusion by a “unidentified malicious intruder,” around 37 million T-Mobile customers had their personal information taken. Its been confirmed that data taken were customers’ addresses, phone numbers, and dates of birth were among the data taken, the company informed the Security and Exchange Commission on January 5. This is the mobile company’s second significant security breach in as few as two years.

According to the company’s research to date, the breach did not reveal any information like bank account, credit card information, Social Security numbers, or other official identifications. The company claimed the data was accessed for the first time on or about November 25 and that it had contacted law enforcement and federal agencies.

After customers launched a class action lawsuit in response to a second data breach, including Social Security numbers and driver’s license information, the company was ordered to pay $350 million in July. The company, added that it had started notifying affected customers and further investigation is ongoing. The activity of the threat actors appears to be fully under control at this time, and it is certain that there is no evidence that the bad actor was able to compromise our systems or our network.”

We apologize for this occurrence and recognize its impact on our customers. The Wall Street Journal had on Thursday reported that the U.S. Federal Communications Commission (FCC) has also investigated the company’s data leak event.

Previous Attacks On T-Mobile Since 2018

The company’s stock decreased 2% in after-hours trading. After the August attack that affected almost 80 million Americans, T-Mobile previously announced that it will invest $150 million through 2023 to strengthen its data security and other technologies.

T-Mobile stated in its filing on Thursday that these changes had “made substantial progress to date.” Additionally, it recognized that the most recent intrusion might result in “substantial expenses.” Prior to August 2021, the business acknowledged breaches in which customer information had been accessed in January 2021, November 2019 and August 2018.

After acquiring rival Sprint the same year, T-Mobile, based in Bellevue, Washington, rose to prominence as one of the nation’s top mobile providers in 2020. After the merger, it claimed to have more than 102 million clients.

With ransomware attacks against hospitals and other businesses that retain highly sensitive information on the rise in recent years, data breaches are a top issue for large companies in the U.S.

The Biden administration declared that defending the nation from cyberattacks was a “high priority” after the 2021 attack on T-Mobile.

“Ransomware assaults have disrupted institutions all across the world, including banks in the UK, pipelines in the US, and hospitals in Ireland, Germany, and France. The threats are significant and getting worse.

How To Manage Data Breach In Your Company

It is obvious that data breaches must be handled properly given the potential effects they may have on you, your business, and your clients and consumers.

  • Create a plan of action for handling the matter as a group. Engage a cyber security specialist to determine how this breach happened.
  • Reduce the impact of the breach, It’s critical that you take action right away because, for all you know, the data may not have already been utilized maliciously.
  • Assemble a team as soon as possible to handle the problem. To determine what kind of data was stolen in order to know whether this data breach poses a risk to the public.
  • Access the reason why your systems were compromised. Maintain the proof of the data breach so you have it all in writing.
  • Put safeguards in place to stop someone from misusing the data. By phone or email, inform your consumers as soon as you can that there has been a data breach. 
  • Tell them how this occurred and what steps are being made to address it in an honest and open manner. Encourage clients and customers to update any login information, to keep their updated information secure, and to be watchful for any additional login attempts.
  • Provide compensation, such as discounts and offers, for individuals impacted in order to lessen any additional loss of client loyalty.
  • Apply the lessons learned and put safeguards in place to prevent this from happening again (see next heading).
  • If you don’t alert the media right away, further hackers might try to take advantage of your system’s flaw. Make sure you resume regular business after all of this. Once everything is in order, there is no use in lingering on past errors. Instead, strive to move past them and open up fresh channels of conversation about your company.


T-Mobile, a US wireless carrier, reported on Thursday that an unnamed hostile intruder broke into its network in late November and took information on 37 million users, including addresses, phone numbers, and birthdates. The vulnerability was discovered on January 5, according to T-Mobile in a complaint with the US Securities and Exchange Commission. According to its research to date, it said that no passwords or PINs, bank account or credit card information, or Social Security numbers were among the data exposed to theft.

Notify of
9 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Ilia Kolochenko
Ilia Kolochenko , Founder and CEO
InfoSec Expert
January 24, 2023 11:13 am

“Unprotected APIs are rapidly becoming one of the primary sources of disastrous data breaches. The situation is aggravated by shadow IT that now encompasses not only the forgotten, abandoned, or undocumented APIs and web services but also the full spectrum of accidentally exposed APIs from test and pre-production environments that may be hosted or managed by numerous third parties that have privileged access to sensitive corporate data.

Given that the exfiltration of 37 million customer records was visibly not detected and blocked by the anomaly detection system, we could suppose that the breached API belonged to the unknown and thus unprotected shadow assets. While the financial data of the customers is reportedly safe, the compromised billing details can be aptly exploited by cybercriminals for sophisticated spear phishing attacks aimed, amongst other things, to steal 2FA tokens from other systems.

In view of the previous security incidents implicating T-Mobile, legal consequences for this data breach may be pretty harsh – courts and regulators will unlikely be lenient when considering monetary and other available sanctions.”

Last edited 3 months ago by Ilia Kolochenko
Ted Miracco
Ted Miracco , CEO
InfoSec Expert
January 24, 2023 11:12 am

“All signs on this point to a state sponsored attack, based on the magnitude of data stolen and the period of time involved in exfiltrating the data. Was this attack preventable? Yes, but that would require a serious commitment and the corresponding investments in protecting clients’ data. It is very unfortunate that there is little accountability for these breaches. We live in an environment where companies would rather apologize for a data breach, and then offer their clients one year of free credit monitoring services, than invest in cyber security solutions that might have contained the breach before 40 million records were exfiltrated. The bottom line is that companies like T-Mobile are focused on their bottom lines, and it is more cost effective to apologize than to correct the systemic problems in these cases.”

Last edited 3 months ago by Ted.Miracco
Brad Hong
Brad Hong , Customer Success Manager
InfoSec Expert
January 24, 2023 11:11 am

“With T-Mobile having failed to gatekeep the data of 50-76 million in 2021 and now 37 million, out of its 110 million customers, it would be an easier estimate to deduce how many of their customers were not affected by a breach. What makes this more disappointing is that even after the lackluster response to the mobile carrier’s first data breach alongside a very public announcement to pledge more money into security technology, consumers are only discovering that their PII may have been exposed through a game of telephone originating from a regulatory filing that was caught by a WSJ reporter. How much of the pledged money was actually pulled out from the company’s bottom line to add to its war chest for cyber? What was the actual percentage increase in spend for security technology from this promise?

  “From the attacker’s perspective, for example, with just the intelligence gathered from the recent Experian in tandem with this data breach, there’s not much else needed to commit crimes. There’s enough data to do anything from SIM swaps and refined targeting for phishing, all the way to identity theft and credit card & wire fraud. What other authoritative source of identity is left for the average consumer to use to verify who they are when the supposed gatekeepers of our most sensitive data keeps failing to defend it, let alone notify them so as to protect themselves preemptively?

Last edited 3 months ago by Brad Hong
Dr. Darren Williams
Dr. Darren Williams , Founder and CEO
InfoSec Expert
January 24, 2023 11:09 am

“This is breach #8 for T-Mobile in the last 5 years or so, the previous one affecting 48 million customers. Plenty of large organisations make data breach news as we know, but making news for your 8th breach certainly makes them an outlier.

If there is a lesson to be learned for T-Mobile today it’s that whatever they are doing to protect their customers data certainly isn’t hitting the mark. Presumably an organisation of this size has a plethora of cyber tools to prevent attacks, so we can only assume they are relying on perimeter defence techniques or legacy solutions. Adding third generation cyber tools such as anti-data exfiltration technology would seem a must have for the organisation at this time.”

Last edited 3 months ago by Dr. Darren Williams
Sam Curry
Sam Curry , Chief Security Officer
InfoSec Expert
January 22, 2023 11:14 am

What is or isn’t sensitive is an important question to ask. Whether or not sensitive data and financial information was lost isn’t the point. Customer information is a privilege to hold, not a right; and while it’s great that T-Mobile’s network wasn’t compromised in this instance, and that outright theft wasn’t enabled through loss of direct billing numbers, eroding privacy and making it easier for hackers to compromise identities is still important and sensitive.
It appears that T-Mobile moved quickly and, while the details aren’t yet known, the world is paying attention for the results of this investigation. Hackers are innovative, and companies with valuable data and services are always a target, but it remains to be seen if the compromises in 2023 are similar to the ones suffered by T-Mobile in 2021. Did the company learn from 2021? Was 2023 unique? Was this a case this time around if anyone can fail occasionally or is it worse than that? Only time and the facts will tell us and tell T-Mobile and fellow practitioners what the new lessons-to-be-learned are.

Last edited 3 months ago by Sam Curry

Recent Posts

Would love your thoughts, please comment.x