Big data hacks have become commonplace, but that doesn’t make them any less worrying.
In the latest such incident, T-Mobile (TMUS) said information on 37 million of its customers was obtained by a “bad actor.”
The hack was disclosed in a regulatory filing with the Securities and Exchange Commission on Thursday, Jan. 19.
The hacker had access to the data for nearly six weeks before they were detected, according to the filing.
They first got into the system on Nov. 25, 2022 but weren’t detected until Jan. 5.
The attack is acutely embarrassing for T-Mobile as it was the second such attack in two years.
On Aug. 16, 2021, T-Mobile disclosed a cyberattack that obtained data on 7.8 million current customers and 40 million former or prospective customers who had applied for credit with T-Mobile.
As for the specifics of the customer data that was obtained, T-Mobile said in the filing that it included "name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account."
The company said that "Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, based on our investigation to date, customer accounts and finances were not put at risk directly by this event."
While it's small comfort to the victims, it appears less data was compromised in the latest attack, compared with the 2021 incident.
In that case, Social Security numbers, addresses, birthdates and driver’s license information of at least some customers or applicants were compromised.
The company said it was confident it had closed the access point that allowed the latest data to be stolen. In addition it said "we have notified certain federal agencies about the incident, and we are concurrently working with law enforcement."
T-Mobile said "we have begun notifying customers whose information may have been obtained by the bad actor in accordance with applicable state and federal requirements."
