FCC Investigating T-Mobile Breach Affecting Data from 37M Customers
The FCC is investigating the latest data breach at T-Mobile, an agency spokesperson said Friday. T-Mobile reported in an SEC filing Thursday that someone started obtaining data through a single application programming interface (API) starting Nov. 25. T-Mobile said it became aware of the breach Jan. 5. The perpetrator accessed billing addresses, email, phone numbers and other limited data covering about 37 million customers, the company said.
“Carriers have a unique responsibility to protect customer information,” an FCC spokesperson emailed: “When they fail to do so, we will hold them accountable. This incident is the latest in a string of data breaches at the company, and the FCC is investigating.” T-Mobile has reported at least three breaches since 2018. A 2021 breach included information from about 7.8 million postpaid customer accounts and the records of more than 40 million former or prospective customers (see 2108180062).
The FCC already is taking a deeper dive into data security, seeking comment on revised rules for carriers to report data breaches in a recent NPRM (see 2301060057), The NPRM proposes rules that could set a timeline for when providers have to report a breach. “Carriers have access to a treasure trove of data about who we talk to, where we go, and who we are,” Chairwoman Jessica Rosenworcel said at a recent speech at the Center for Strategic and International Studies (see 2301170068). “We need to make sure this deeply personal data does not fall into the wrong hands,” she said.
“While it is a bit of a deja vu all over again, the serious question for the FCC is whether it wants to continue the current pattern of periodic breeches, discouraged only by brand damage and by paying out class-action damages and FCC fines, or to take more aggressive action to assure such breeches never, or rarely, happen again,” New Street’s Blair Levin told us. “The answer is not obvious, but it is the kind of question that expert agencies were created to evaluate,” he said.
“All three of the major cell phone carriers have had serious data breaches in recent years” and “T-Mobile is a repeat offender,” emailed PIRG Consumer Watchdog Teresa Murray. “We believe the FCC should absolutely hold these carriers accountable by requiring timely notification of a breach,” she said: "Not only should that disclosure be made to authorities, but companies should have the integrity to notify customers quickly. ... It's been more than two weeks.” Murray said her family has five T-Mobile lines “and not a single one of us has heard a peep out of T-Mobile.”
After learning of the breach, T-Mobile “promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it,” the carrier said in the SEC filing: “Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network.”
T-Mobile said its systems and policies “prevented the most sensitive types of customer information from being accessed, and as a result, based on our investigation to date, customer accounts and finances were not put at risk directly by this event.” The API involved doesn’t provide access to credit card information, social security numbers, tax IDs, driver’s license or other government ID numbers, passwords or personal information numbers, “or other financial account information, so none of this information was exposed,” the carrier said.
“As soon as our teams identified the issue, we shut it down within 24 hours,” said a T-Mobile news release: “While no information was obtained for impacted customers that would compromise the safety of customer accounts or finances, we want to be transparent with our customers and ensure they are aware.” T-Mobile said it regrets the attack. “While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program,” it said.
The latest breach is “credit negative and raises questions about the company's cyber risk governance and management practices," wrote Moody’s Neil Mack: "While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers, and it could negatively impact customer behavior, cause churn to spike and potentially attract the scrutiny of the FCC and other regulators."
“It is very disappointing being hacked the n-th time and will prompt regulatory questions,” emailed Recon Analytics’ Roger Entner: “T-Mobile’s past performance has shown that customers are undeterred by such hacks and sign up with T-Mobile in large numbers anyway.”