The wireless carrier T-Mobile has reported another data breach, this time affecting approximately 37 million customers. According to the disclosure the company filed with the SEC, the company believes a threat actor first gained access to information in November 2022. T-Mobile found out about the breach on January 5th, 2023, and had details and notifications out to customers within 24 hours. The threat actor was able to gain initial access through an API where they stole data including customer names, account numbers, and billing addresses. No sensitive information was stolen according to T-Mobile.
Even though the data stolen in the breach did not include sensitive information, the stolen data could still be used to carry out attacks if used in conjunction with other publicly available data. The company has stated that the malicious activity has been contained at this point for this attack. Whenever a customer is notified by a company of a data breach, they should ensure they are taking the proper steps to protect themselves including monitoring their credit and being on the lookout for phishing emails.