T-Mobile has announced that an attacker has accessed "limited types of information" on customers. It says it is informing impacted customers.
According to the press release, no passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.
T-Mobile says the attacked gained access to the data through a single Application Programming Interface (API), without authorization. According to T-Mobile, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features.
An API in general is a software interface, usually intended to allow one automated system to retrieve data from another. For example, to allow a website to fetch relevant information from a database. When a threat actor finds a way to bypass authentication or obtain a higher level of permissions than they should have, it could enable them to fetch information about other customers.
The preliminary result of T-Mobile’s investigation combined with help from external cybersecurity experts indicates that the attacker accessed data of approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set.
Window of access
The mobile carrier says it detected the malicious activity on January 5, 2023. The press release says the issue was resolved within 24 hours after it was identified. What the press release doesn’t say, but what we can read in the Form 8-K—used when informing the Securities and Exchange Commission (SEC) about a breach—is that the attacker first retrieved data through the impacted API starting on or around November 25, 2022.
The timing of the data breach is far from ideal. It was last week that customers faced a deadline to file a claim over $ 350 million related to a 2021 cyberattack which impacted around 80 million US residents. The carrier agreed to the massive payout to resolve allegations that negligence led to the 2021 data breach that exposed millions of people's personal information. The stolen data at the time included names, driver licenses, addresses, and social security numbers.
As part of that settlement, T-Mobile committed to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023. T-Mobile references this in its Form 8-K about the current incident:
“As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity. We have made substantial progress to date, and protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cybersecurity program.”
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.