T-Mobile on Thursday said a threat actor accessed personal data on about 37 million current customers in an intrusion that went undetected since late November.
The wireless network operator identified the malicious activity on Jan. 5 and during a subsequent investigation determined the unauthorized access began on or around Nov. 25, the company said in a filing with the Securities and Exchange Commission.
T-Mobile said it was able to trace the source of the malicious activity to an application programming interface and stop it with the help of cybersecurity consultants.
This incident marks the eighth publicly acknowledged data breach at T-Mobile since 2018, including a massive data breach in August 2021 that exposed personal data of at least 76.6 million people.
The investigation is ongoing, but T-Mobile said there is no evidence its systems or network were breached during the incident.
The impacted API provides access to customer account data, including names, billing and email addresses, phone numbers, dates of birth and account numbers. Sensitive PII, including payment information, social security numbers, tax IDs, driver’s licenses and passwords, was not exposed, according to T-Mobile.
The company is notifying customers whose information may have been obtained by the threat actor, and federal law enforcement agencies are assisting T-Mobile in its response, the company said.
“We may incur significant expenses in connection with this incident,” T-Mobile said in the regulatory filing.
The company in July 2022 agreed to pay $500 million to settle a class-action lawsuit stemming from the August 2021 cyberattack, which is widely regarded as the largest carrier breach on record.