US Inc. said hackers accessed data, including birth dates and billing addresses, for about 37 million of its customers, the second major security lapse at the wireless company in two years.
The company said in a regulatory filing Thursday that it discovered the problem on Jan. 5 and was working with law-enforcement officials and cybersecurity consultants. T-Mobile said it believes the hackers had access to its data since Nov. 25 but that it has since been able to stop the malicious activity.
The cellphone carrier said it is currently notifying affected customers and that it believes the most sensitive types of records—such as credit card numbers, Social Security numbers and account passwords—weren’t compromised. T-Mobile has more than 110 million customers.
The company said its preliminary investigation indicates that data on about 37 million current postpaid and prepaid customer accounts was exposed. The company said hackers may have obtained names, billing addresses, emails, phone numbers, birth dates and account numbers. Information such as the number of lines on the account and plan features could have also been accessed, the company said.
“Some basic customer information (nearly all of which is the type widely available in marketing databases or directories) was obtained,” T-Mobile said in a statement. “No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.”
The company said its systems weren’t breached but someone was improperly obtaining data through an API, or application programming interface, that can provide some customer information. The company said it shut down the activity within 24 hours of discovering it.
The company’s investigation into the incident is ongoing. T-Mobile warned that it could incur significant costs tied to the incident, though it said it doesn’t currently expect a material effect on the company’s operations. The company is set to report fourth-quarter results on Feb. 1.
T-Mobile acknowledged a security lapse last year after personal information regarding more than 50 million of its current, former and prospective customers was found for sale online. T-Mobile later raised its estimate and said about 76.6 million U.S. residents had some sort of records exposed.
A 21-year-old American living in Turkey claimed credit for the 2021 intrusion and said the company’s security practices cleared an easy path for the theft of the data, which included Social Security numbers, birth dates and phone-specific identifiers. T-Mobile’s chief executive later apologized for the failure and said the company would improve its data safeguards.
T-Mobile proposed paying $350 million to settle a class-action lawsuit tied to the 2021 hack. As part of the settlement, the company also pledged to spend $150 million for security technology in 2022 and this year.
Write to Will Feuer at Will.Feuer@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8