T-Mobile US today said someone abused an API to download the personal information of 37 million subscribers.
A regulatory filing [PDF] disclosed one or more miscreants were able to access potentially the “name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features” of each affected customer .
Passwords, payment details, and other sensitive information were not obtained, we’re told. The stolen data covers “current postpaid and prepaid customer accounts.”
A T-Mo statement on Thursday explained the carrier has started informing people their personal data was accessed, and offered the opinion that “customer accounts and finances should not be put at risk directly by this event.”
Note the use of “directly” – an apparent acknowledgment that the siphoned records can be used as the basis for phishing, identity theft, and the like, meaning pain could be felt weeks or months after people are warned of the security fiasco.
The press statement described the stolen data as “basic” and “nearly all of which is the type widely available in marketing databases or directories.” Oh, so that’s OK, then. No need to really worry about data security. Your personal info is already out there, everywhere, anyway. Thanks to companies like T-Mobile US, of course.
The SEC filing, meanwhile, added the carrier spotted “a bad actor was obtaining data through a single Application Programming Interface (API) without authorization” on January 5, 2023. Subsequent investigations led to the conclusion the intruder was using the API for evil as as early as November 25, 2022.
The cellular network downplayed the theft, stating: “Our systems and policies prevented the most sensitive types of customer information from being accessed.”
The document also spins the incident as potentially far worse, were it not for T-Mobile US having begun a security improvement program in 2021.
But that program was made necessary by the carrier’s flimsy security, which has seen it repeatedly suffer data breaches. Here’s a summary of T-Mobile US’s troubles:
- 2018 – Two million records accessed, including hashed passwords
- 2019 – Over a million customer records accessed, some personal data exposed
- March 2020 – Employee email accounts compromised, and customer details accessed
- December 2020 – A mere 200,000 customer records describing network information leaked
- 2021 – 48 million postpaid customers’ records posted to the dark web
- July 2022 – T-Mobile USA announces $550 million settlement of the 2021 breach
- November 2022 – Contributes to $16m settlement of 2012 and 2015 breaches at Experian that entangled T-Mobile customers
That’s a mighty record of mistakes. Which is why T-Mob in 2021 “commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity.”
While the SEC filing states the cellular giant feels it has “made substantial progress to date,” news of the new incident suggests the program may not be achieving its goals.
In its statement, the carrier seemingly surrenders to the inevitability of more successful attacks. “While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program,” the paperwork states.
It also admits: “We may incur significant expenses in connection with this incident.”
That sound you hear? Lawyers everywhere preparing class-action documentation.
Or maybe the sound is T-Mobile US execs laughing this one off: since 2018 the carrier’s share price has soared from $65 to $145, subscriber numbers have grown from 77 million to 110 million, and revenue is on track to nearly double to around $80 billion. ®