T-Mobile has disclosed yet another data breach, exposing data belonging to 37 million customers.
T-Mobile said a threat actor retrieved data through an API on or around Nov. 25. The breach wasn’t detected until Jan. 5, and the access was cut off to the API next day.
PII information stolen included names, billing addresses, email addresses, phone numbers, and dates of birth. Customer payment card information, Social Security numbers, IDs, passwords, and other account data were not accessed by the bad actor.
T-Mobile has hired third-party cybersecurity experts inform law enforcement and notify customers.
Previous breaches involving T-Mobile include the theft of the details of 2 million customers in August 2018, a hack involving the theft of prepaid customer data in November 2019, the theft of employee and customer data in March 2021 and the theft of 48 million records in August 2021.
The August 2021 breach resulted in T-Mobile agreeing to pay $500 million to settle a class action lawsuit in July. Under the agreement, $350 million went to a settlement fund, and $150 million went toward enhancing data security measures.