The US wireless carrier T-Mobile stated that an anonymous malicious intruder breached its network in late November and stole data on 37 million customers, including addresses, phone numbers and dates of birth.
On Thursday, T-Mobile said in a filing with the Security and Exchange Commission that the breach was discovered on January 5. The company said that the data exposed to theft — based on its probe till date — did not include passwords or PINs, bank account or credit card information, Social Security numbers or other government IDs.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time,” T-Mobile said, with no evidence the intruder was able to breach the company’s network.
The data was first accessed on or around November 25. T-Mobile said it has mentioned law enforcement and federal agencies, which it did not name. The company said it did not expect the incident to have material effect on its operations.
The wireless network has been hacked earlier. The company agreed to pay USD 350 million in July to customers who filed a class action lawsuit after the company disclosed in August 2021 that personal data constituting Social Security numbers and driver’s license information had been stolen. Nearly 80 million US residents were impacted.
It also said at the time that it would spend USD 150 million through 2023 to fortify its data security and other technologies. Prior to the August 2021 intrusion, the company disclosed breaches in January 2021, November 2019 and August 2018 in which customer information was accessed.
Based in Bellevue, Washington, the wireless network company became one of the country’s largest cellphone service carriers in 2020 after acquiring competitor Sprint in 2020. It reported having more than 102 million customers after the merger.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time,” T-Mobile said, with no evidence the intruder was able to breach the company’s network. The company did not immediately respond to an e-mail seeking comment.
Tha company also stated at the time that it would spend USD 150 million through 2023 to retrieve its data security and other technologies. Before August 2021 intrusion, the company disclosed breaches in January 2021, November 2019 and August 2018 in which customer information was accessed.