T-Mobile says hacker stole data on 37 million customers

T-Mobile said a hacker stole data on about 37 million customers after first gaining access to a company system in November, according to a Securities and Exchange Commission (SEC) report filed on Thursday. 

The phone carrier said it first identified the “bad actor” on Jan. 5 and was able to trace and stop their activity within a day.

“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” T-Mobile said in the SEC filing.

The hacker breached a single application programming interface on about Nov. 25 that contained data on customer names, billing addresses, emails, phone numbers, dates of birth, T-Mobile account numbers and plan information. However, T-Mobile noted that many of the 37 million accounts affected did not include this entire range of data.

Payment information, social security or tax ID numbers, driver’s license or other government ID numbers, and passwords and PINs were not impacted by the data breach, according to T-Mobile.

“Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, based on our investigation to date, customer accounts and finances were not put at risk directly by this event,” it added in the filing.

The phone carrier said it notified federal agencies about the breach and has begun notifying customers whose information may have been stolen.

T-Mobile noted that it began a “substantial multi-year investment” to improve its cybersecurity in 2021.

“Protecting our customers’ data remains a top priority,” the company said. “We will continue to make substantial investments to strengthen our cybersecurity program.”