The biggest US telecom operator T-Mobile in a regulatory filing said that an unidentified malicious intruder breached its network in late November and stole data on 37 million customers including addresses, phone numbers and dates of birth.

The telecom giant, in its filing on Thursday said, “On January 5, 2023, T-Mobile identified that a bad actor was obtaining data through a single Application Programming Interface (“API") without authorization. We promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it."

It stated that the investigation is still ongoing, but the malicious activity appears to be fully contained at this time.

"Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time,” T-Mobile said, with no evidence the intruder was able to breach the company's network. It said the data was first accessed on or around November 25.

However, the company has assured that customer payment card information (PCI), social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information was not compromised. 

T-Mobile said it has notified law enforcement and federal agencies, which it did not name. 

The firm has been hacked multiple times in recent years. In its filing, T-Mobile said it did not expect the latest breach to have material impact on its operations. But a senior analyst for Moody's Investors Service, Neil Mack, said in a statement that the breach raises questions about management's cyber governance and could alienate customers and attract scrutiny by the Federal Communications Commission and other regulators.

“While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers,” Mack said.

“While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers," Mack said.

In July, T-Mobile agreed to pay $350 million to customers who filed a class action lawsuit after the company disclosed in August 2021 that personal data including Social Security numbers and driver's license info had been stolen. Nearly 80 million U.S. residents were affected.

It also said at the time that it would spend $150 million through 2023 to fortify its data security and other technologies.

T-Mobile, based in Bellevue, Washington, became one of the country’s largest cellphone service carriers in 2020 after buying rival Sprint. It reported having more than 102 million customers after the merger.

Image courtesy: CNN