Cybercriminals accessed data of 37 million T-Mobile customers through an API and obtained account information, including name, billing addresses, email, phone number, date of birth, T-Mobile account number, number of lines on the account and plan features.
The telecom operator claims that no sensitive information was accessed that could put the affected prepaid or postpaid customer accounts and finances at risk. T-Mobile says that the cybercriminals started retrieving data through the impacted API (Application Programming Interface) on November 25. The impacted systems were shut down within 24 hours.
“The API abused by the bad actor does not provide access to any customer payment card information (PCI), social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information, so none of this information was exposed,” T-Mobile said in an SEC filing on Thursday.
The company is working with law enforcement and has started informing the impacted customers and said that no payment card information, social security numbers, government ID numbers or other financial account information were compromised.
“Although we are unable to predict the full impact of this incident on customer behaviour in the future, including whether a change in our customers’ behaviour could negatively impact our results of operations on an ongoing basis, we presently do not expect that it will have a material effect on the Company’s operations.”
However, as opposed to the SEC filing, the company has tried to downplay the security incident and the information leaked in their customer information release, stating: “Nearly all of which is the type widely available in marketing databases or directories.”