T-Mobile has disclosed yet another data breach, its second disclosed breach in 2023, affecting fewer than 1,000 customers versus the 37 million affected in the last breach, it’s the eighth data breach since 2018.
This breach was discovered in March and affected 836 customers. In a letter to affected customers, T-Mobile described the breach as an unauthorized activity involving a bad actor gaining access to information from a small number of customers between late February and March.
Stolen data includes (PII) full names, contact information, account numbers and associated phone numbers, T-Mobile account PINs, Social Security numbers, government IDs, dates of birth, balance due and internal codes used by T-Mobile to service customer accounts. No financial account information or call records were affected.
T-Mobile has reset the PINs of customers affected and is also offering them two years of free credit monitoring and identity theft services.
The previously disclosed breach in January involved the theft of 37 million customer records, including personally identifiable information, that started on or around Nov. 25 and wasn’t detected until Jan. 5.
Previous hacks involving T-Mobile include the theft of the details of 2 million customers in August 2018, a hack involving the theft of prepaid customer data in November 2019, the theft of employee and customer data in March 2021 and the theft of 48 million records in August 2021. Lapsus$ also breached T-Mobile’s internal systems in April 2022.
The breach in August 2021 resulted in T-Mobile agreeing to pay $500 million to settle a class action lawsuit in July. Under the agreement, $350 million went to a settlement fund and $150 million went toward enhancing data security measures.