Less than four months after wireless provider T-Mobile agreed to settle a class-action lawsuit over a serious data breach, the company says it once again fell victim to a security incident in which customer information was stolen.
In a statement on Thursday, T-Mobile said a breach involving a “bad actor” took advantage of a flaw in the company’s Application Programming Interface (API) to harvest a significant amount of personal information related to customers.
The data collected by the person or group included names, billing addresses, e-mail addresses, dates of birth, phone numbers, account numbers and some customer service-related information like the number of phone lines on an account. T-Mobile said the information is “the type widely available in marketing databases or directories,” though it wasn’t clear if T-Mobile itself had ever provided or sold that type of customer information to third party marketers.
T-Mobile affirmed it was unlikely customers were at any serious risk of having their accounts or finances impacted, and no passwords, credit or debit card numbers, government ID numbers or social security numbers were collected.
The statement appeared to come following inquiries from journalists who learned about the incident, which occurred earlier this month. On Thursday, financial newswire Reuters said 37 million customers were affected; T-Mobile says it is in the process of notifying those customers.
T-Mobile said the incident was not a conventional hack or security breach, and no systems were impaired, suggesting the person or group who obtained the information may have had legitimate access to T-Mobile’s API, but used that access in a way T-Mobile didn’t intend.
“We understand that an incident like this has an impact on our customers and regret that this occurred,” a T-Mobile spokesperson said on Thursday. “While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.”
Those investments followed several actual security incidents in which tens of millions of T-Mobile customers had sensitive, personal information compromised. In some of those cases, the breaches were so egregious and severe that T-Mobile offered credit monitoring to affected customers — and some of those customers sued.
In September, T-Mobile agreed to spend $350 million to settle claims from a class-action lawsuit connected to a security incident involving subscriber data two years ago. Customers in California were entitled to $100 settlement checks, while those in other states were eligible for $50. Around 76 million current and former T-Mobile customers, as well as subscribers of T-Mobile’s prepaid subsidiary Metro by T-Mobile (formerly MetroPCS), are covered by the settlement.