T-Mobile Falls Prey to Data Breach Again

By Greg Tavarez, TMCnet Editor  |  January 20, 2023

T-Mobile (News - Alert) is one of the major carriers striving to better connect everyone by teaming up with Cisco to ramp up 5G performance or by connecting Delta Air Lines SkyMiles Members.

Being one of the major carriers also means that a bigger target is placed on the Un-carrier's back for cyberattacks – the 2021 cyberattack that affected around 76.6 million people for example.

Well, T-Mobile found itself victim of another data breach, its eighth data breach since 2018, after a threat actor stole personal information of 37 million current postpaid and prepaid customer accounts through one of its APIs.

The company did not say how the API was exploited, but says that the bad actor in the attack stole data using the API around November 25, 2022. T-Mobile detected the malicious activity on January 5 of this year, and the attacker’s access to the API was cut off a day later.

Luckily, the abused API did not allow the attacker to access affected customers' driver's licenses or other government ID numbers, Social Security numbers, passwords, PINs or payment card information.

Obviously, any data breach is not good. So if there is a silver lining in this for customers, the API only provides more basic information, as T-Mobile called it, such as the customer’s name, billing address, phone number, account number and the number of lines and features. This could simply be T-Mobile downplaying the situation to avoid panic among its customers.

The incident was reported to U.S. federal agencies, and T-Mobile is working with law enforcement to investigate the breach. The carrier is also notifying customers who might be impacted by the breach.

Eight breaches since 2018 is a lot, especially for a company that should have enough resources to better protect itself and its customers. But T-Mobile keeps finding itself in this cycle.

From attackers accessing an internal T-Mobile application without authorization, a brute-force attack and paying attackers $270,000 in 2021 to the Lapsus$ extortion gang breaching its network using stolen credentials in 2022 to now, not much progress is being made by T-Mobile on the cybersecurity side. At least that’s what it looks like from the view of a consumer.

Sure, this only affects a percentage of T-Mobile customers, but T-Mobile still needs to do something to reassure every one of its customers, even potential future customers, that their data and private information is secured.




Edited by Alex Passett