T-Mobile, the third-largest carrier in the United States, that has recently completed a $26 billion merger with Sprint, announced that it had experienced a second data breach in December, 2020. The security breach may have revealed call-related information and phone numbers of some of its customers.
According to the company, it recently discovered illegal access to some customer account information, including data that T-Mobile collects on its customers when considering the provision of mobile services. However, the company reported that the information affected by the violation did not include the customer’s account names, physical or email addresses, financial data, credit card information, social security numbers, tax IDs, passwords or PINs.
The information accessed by hackers is known as Customer Proprietary Network Information (CPNI). This data can include call records, such as when the call was made, how long it lasted, the caller’s phone number and destination phone numbers, and other information that is reflected in the customer’s bill.
The company’s officials stated: “Our cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account. We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers.”
In a statement, T-Mobile said its security team had shut down the illegal access and launched an investigation to establish what information was accessed.
T-Mobile has been the victim of several data breaches in recent years. In 2018, hackers accessed personal information of approximately 2 million customers, including names, addresses, and account numbers. In 2019, some of the company’s prepaid customers were affected by a breach that accessed names, addresses and account numbers. In March 2020, the attackers accessed the email accounts of T-Mobile employees and obtained financial information, social security numbers and other account information of some T-Mobile customers.