T-Mobile has started notifying customers of a data breach that may have compromised certain types of personal information, including customer names and billing addresses.
In a notice sent to customers this week, T-Mobile said it discovered a “malicious attack” had allowed unknown individuals to access accounts associated with T-Mobile employees. Some of those accounts may have contained customer information, including customer names, addresses, phone numbers, account numbers, features and billing information, the company said.
The attack originated with an email vendor that provides services to T-Mobile employees, the company said. Financial information like credit card numbers, Social Security numbers were not compromised as part of the attack.
“An investigation was immediately commenced, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was affected,” a T-Mobile executive said. “We immediately reported this matter to federal law enforcement and are actively cooperating in their investigation.”
T-Mobile has started notifying customers via text message and other means. The company said some customers who were impacted by the breach may not have received a message, but should expect to receive one in the coming days as the investigation continues.
T-Mobile said it has seen no evidence that customer information was used to commit acts of fraud, but said customers who receive the notice should review their account information and update associated PINs and passcodes tied to their accounts.
The data breach is the second time in less than a year T-Mobile has notified customers their information may have been compromised.
Last November, T-Mobile said an attack involved the theft of subscriber information associated with the company’s prepaid service. The company said specific financial information and user passwords were not compromised as part of the attack.
News of the latest data breach comes amid reports that T-Mobile, which is set to merge with Sprint, is fighting a $91 million fine imposed by the Federal Communications Commission (FCC) over the sale of of customer location information.
The FCC said T-Mobile, Sprint and two competing wireless companies had sold the data to third party companies without taking adequate steps to ensure the information would not be obtained via “unauthorized access.”
“We find that T-Mobile apparently disclosed its customers’ location information, without their consent, to third parties who were not authorized to receive it,” the FCC said in a notice last week. “In addition, even after highly publicized incidents put the Company on notice that its safeguards for protecting customer location information were inadequate, T-Mobile apparently continued to sell access to its customers’ location information for the better part of a year without putting in place reasonable safeguards—leaving its customers’ data at unreasonable risk of unauthorized disclosure.”
Responding to the fine, a T-Mobile executive said it took “privacy and security of our customers’ data very seriously.”
“When we learned that our location aggregator program was being abused…we took quick action,” the company said. “We were the first wireless provider to commit to ending the program and terminated it in February 2019 after first ensuring that valid and important services were not adversely impacted.”