T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting in late February 2023.
Compared to previous data breaches reported by T-Mobile, the latest of which affected 37 million people, this incident only affected 836 customers. Yet, the amount of exposed information is quite large and exposes those involved to identity theft and phishing attacks.
“In March 2023, the measures we put in place to alert us to unauthorized activity worked as intended and we were able to determine that a malicious actor had gained access to limited information from a small number of accounts. T-Mobile between late February and March 2023,” the company said in data breach notification letters sent to those concerned just before the weekend, Friday, April 28, 2023.
T-Mobile said the threat actors did not have access to the call recordings or personal financial account information of the individuals involved, but the personally identifiable information exposed contains more than enough data for the identity theft.
While the information exposed varied for each of the affected customers, it could include “full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID card, date of birth, balance owing, internal information codes T-Mobile uses to manage customer accounts (e.g., rate plan and feature codes), and number of lines.”
After detecting the security breach, T-Mobile proactively reset the PINs of affected customers’ accounts and is now offering them two years of free credit monitoring and identity theft detection services through Transunion myTrueIdentity.
A T-Mobile spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today asking for more details.
Second data breach disclosed in 2023
This is the second such incident disclosed by T-Mobile since the start of the year, with the previous data breach disclosed on January 19, after attackers stole the personal information of 37 million customers in abusing a vulnerable application programming interface (API) in November. 2022.
The mobile operator spotted the malicious activity of threat actors on January 5 and cut off their access to its systems within 24 hours.
T-Mobile described the data stolen in the January breach as “basic customer information,” including “name, billing address, email, phone number, date of birth, T-Mobile account number, and information such as the number of lines on the account and plan features.”
Since 2018, the mobile operator has disclosed seven other data breaches, including one that revealed the information of approximately 3% of all T-Mobile customers.
Other incidents reported by T-Mobile in recent years include: