What To Know About The T-Mobile Data Breach


Deposit Photos

A T-Mobile Store exterior sign displaying the German telecommunications company’s logo.

Ozair Hussain

Telecommunications giant T-Mobile announced Jan. 19 in an SEC filing that it was the victim of a large data breach.

The data breach resulted in the data of 37 million customers, both postpaid and prepaid, being exposed.

In the SEC filing, T-Mobile wrote that the malicious activity began in Nov. 2022, and it was not until early Jan. 5 that it was discovered that the threat actor “was obtaining data through a single Application Programming Interface (“API”) without authorization.”

The exposed data in question included email addresses, billing addresses, names, account numbers, date of births and T-Mobile plan specifications. T-Mobile stated it “promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, [staff] were able to track the source of the malicious activity and stop it.”

Although the confidentiality of personal information was compromised, the company said “[the] API abused by the bad actor does not provide access to any customer payment card information (PCI), social security/tax IDs, driver’s license, or other government ID numbers, passwords/PINs or other financial account information, so none of this information was exposed.”

The data breach is by no means a good look for the company as it was the victim of another data breach in Aug. 2021 which compromised the data of 40 million customers.

A cell phone displaying a spam caller on the phone’s caller ID. (Deposit Photos)

On top of that, the data breach potentially caused an increase in Caller ID spoofing, which is the practice of falsifying the information about an incoming call on the receiver’s caller ID display. Caller ID spoofing also has the ability to pass through the “Silence Unknown Callers” feature on iPhones.

HCC Athletic Trainer and adjunct professor Tim Happel, who uses T-Mobile, said that he found out about the most recent data breach via the news rather than T-Mobile. In fact, the only announcement or information about the data breach the company provided was on their app. Users of the carrier who do not use the app had no way of knowing about the data breach.

With this being the second data breach in less than two years, it is fair to question whether or not the carrier is taking the right steps in ensuring the confidentiality and integrity of its customers’ data.