Hackers breach T-Mobile customer records

Customers line up outside a T-Mobile store

T-Mobile has suffered a data breach affecting information government agencies consider highly sensitive. The breach is the company's fourth since 2018.

The breach affected about 200,000 customers, according to reports, and T-Mobile said the breach impacted a range of information, including customer phone numbers, the number of lines subscribed on their account, and possibly call-related information collected as part of their cellular service.

It didn't affect personally identifiable information, such as names, addresses, email addresses, financial data, social security numbers, or PINs.

What to do in case of a data breach Amazon sacks employee over data breach Blackbaud admits bank account details were lost in May data breach Hackers demand ransom from therapy patients after clinic data breach

The information affected still represents a serious risk. The leaked data is known as customer proprietary network information (CPNI), and the Federal Communications Commission (FCC) considers it "some of the most sensitive information that carriers and providers have about their customers." CPNI includes the phone numbers the customer called, when they made the calls, and how long the calls were. This is otherwise known as call metadata, and intelligence agencies have long sought it for surveillance purposes.

"Our Cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account," T-Mobile said in the statement on its website.

"We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved. We also immediately reported this matter to federal law enforcement and are now in the process of notifying impacted customers."

This isn't the first data breach T-Mobile has suffered. In 2018, the company warned users someone had unauthorized access to information, including their phone number, email address, account number, and date of birth.

In November 2019, T-Mobile admitted a systems breach had affected over 1 million customers. That heist targeted information related to prepaid wireless accounts and included names, addresses, phone numbers, and other CPNI data. In March 2020, the company also notified customers that the breach might have compromised their personal and financial information.

In April 2020, T-Mobile US completed its $26 billion merger with US carrier Sprint Corporation to build a nationwide 5G network.

Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing.

Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.