Exterior of T-Mobile store showing data breach

T-Mobile Data Breach: Hacker Accessed Personal Details of 37 Million Subscribers

U.S. wireless carrier T-Mobile said it was investigating a data breach two years after it agreed to settle another leak that exposed the personal information of nearly 77 million subscribers.

T-Mobile notified law enforcement agencies and began working with a third-party cybersecurity company to investigate the breach that leaked basic personal and account information. However, the breach did not leak customers’ banking and financial information, such as credit cards or government-issued numbers.

With a customer base of 110 million subscribers, T-Mobile has suffered eight cybersecurity incidents since 2018, including the SIM-swapping attacks by Lapsus$ hackers in 2022.

T-Mobile data breach exploited a vulnerable API

T-Mobile said it detected malicious activity by a bad actor on January 5, 2023, and stopped the breach within a day. However, the threat actor did not compromise internal systems, and the incident was entirely resolved.

“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” the company wrote.

In an SEC filing on January 19, 2023, T-Mobile says hackers began exfiltrating data on November 25, 2022, via an application programming interface (API). According to T-Mobile, the exploited API does not return critical information such as payment card information (PCI), social security numbers (SSNs) or tax IDs, driver’s license information, or other government-issued numbers, account passwords, or SIM PINs.

The company did not explain whether the API was used for daily operations or was a development, testing, abandoned, or rogue API. Nevertheless, the API exposed basic customer information such as name, date of birth, billing address, email, phone number, account number, number of lines registered on the account, and service plan features. However, some accounts did not have the complete set of this information.

Sensitive details such as credit card information and social security numbers were not exposed during the incident. T-Mobile said its systems and policies prevented critical personal and account information from being accessed by unauthorized parties.

“Unprotected APIs are rapidly becoming one of the primary sources of disastrous data breaches,” said Dr. Ilia Kolochenko, Founder, CEO, and Chief Architect at ImmuniWeb. “The situation is aggravated by shadow IT that now encompasses not only the forgotten, abandoned, or undocumented APIs and web services but also the full spectrum of accidentally exposed APIs from test and pre-production environments that may be hosted or managed by numerous third parties that have privileged access to sensitive corporate data.”

Data breach investigations ongoing, promises to strengthen cyber security

Meanwhile, the company has begun notifying 37 million customer account holders and reported the incident to relevant law enforcement agencies. The carrier is also working with external cyber experts to investigate the incident. The Federal Communications Commission (FCC) has also opened an investigation into the incident, which it described as part of “a string of data breaches” at the company.

Brad Hong, Customer Success Lead at Horizon3.ai, believes that the string of data breaches at the company has impacted most T-Mobile customers, “With T-Mobile having failed to gatekeep the data of 50-76 million in 2021 and now 37 million, out of its 110 million customers, it would be an easier estimate to deduce how many of their customers were not affected by a breach.”

T-Mobile does not anticipate that the incident would have any material effect on the company’s operations. However, the company predicts that the data breach would have “significant costs.”

FCC’s probe could lead to another large settlement, like in 2021 when T-Mobile exposed personal data, including social security numbers and driver’s licenses, dates of birth, and phone numbers of 76.6 million customers. That year, the carrier agreed to pay $350 million to the data breach victims and also spend $150 million in cybersecurity investment to enhance its defenses.

The company has promised to continue investing in its cyber defenses after the latest data breach.

“While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program,” the company wrote.

However, some security experts wondered whether the company had kept its promise of increasing cybersecurity spending.

“How much of the pledged money was actually pulled out from the company’s bottom line to add to its war chest for cyber? What was the actual percentage increase in spend for security technology from this promise?” Hong asked.

T-Mobile did not disclose the attacker’s identity, but Ted Miracco, CEO at Approov, believes the incident was a state-sponsored cyber attack.

“All signs on this point to a state sponsored attack, based on the magnitude of data stolen and the period of time involved in exfiltrating the data.”

“We live in an environment where companies would rather apologize for a data breach, and then offer their clients one year of free credit monitoring services, than invest in cyber security solutions that might have contained the breach before 40 million records were exfiltrated,” Miracco concluded.