The Federal Communications Commission (FCC) launched an investigation into T-Mobile after the telecommunications giant disclosed it suffered yet another significant cybersecurity lapse exposing customer information.
T-Mobile said in a filing with the Securities and Exchange Commission on Thursday that a bad actor used a single application programming interface to obtain the data of approximately 37 million current postpaid and prepaid customer accounts. The company said it found no evidence the bad actor breached or compromised its systems and that it shut the issue down within 24 hours of identifying it on Jan. 5.
Affected information included names, billing addresses, email addresses, phone numbers, dates of birth, and T-Mobile account numbers and features. No passwords or financial information were exposed, according to the company.
Though T-Mobile said it promptly addressed the incident, its history of cybersecurity lapses is of concern to the FCC. T-Mobile in 2021 disclosed a data breach it eventually estimated affected more than 76.6 million U.S. residents, and the company has also experienced a number of smaller-scale hacks since 2018.
“Carriers have a unique responsibility to protect customer information. When they fail to do so, we will hold them accountable. This incident is the latest in a string of data breaches at the company, and the FCC is investigating,” said an agency spokesman in an emailed statement.
After the 2021 breach, T-Mobile Chief Executive Mike Sievert said the company is “fully committed to take our security efforts to the next level.” The company reiterated this intention in a press release Thursday.
“We understand that an incident like this has an impact on our customers and regret that this occurred, it said. “While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multiyear investments in strengthening our cybersecurity program.”
T-Mobile said in its regulatory filing it worked with external cybersecurity experts to determine the source of the malicious activity at play in its latest incident and shut it down.
“Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, based on our investigation to date, customer accounts and finances were not put at risk directly by this event,” the company assured.
T-Mobile said it believes the bad actor began retrieving customer data through his or her exploit around Nov. 25. The company is continuing to investigate the incident and disclosed it might incur “significant expenses” in relation to its efforts.