Another T-Mobile Data Breach

T-Mobile recently disclosed a data breach that exposed the information of roughly 37 million customers. 

The announcement, filed with the SEC stated that the mobile carrier ”identified that a bad actor was obtaining data…without authorization,” and “promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it.”

While this makes it sound like T-Mobile acted quickly, the company admits that the threat actor was able to access customer data starting “on or around November 25, 2022,” meaning that may have taken well over a month to identify their activity.

T-Mobile has a long history of data breaches and lax cybersecurity standards, with at least nine documented incidents since 2016, the worst one resulting in a $500 million class action settlement. 

T-Mobile’s statement ends with a commitment to enhancing their cybersecurity, claiming to “have made substantial progress to date.” They state, “protecting our customers’ data remains a top priority.”

If this sounds like a promise to enhance their security, consider previous statements by spokespersons on behalf of T-Mobile made in previous years:

  • “Keeping our customers’ data safe is a responsibility we take incredibly seriously and preventing this type of event from happening has always been a top priority of ours,” said T-Mobile CEO Mike Sievert in 2021.
  • We have a number of safeguards in place to protect personal information from unauthorized access, use, or disclosure. Fortunately, we discovered this activity quickly and shut it down immediately,” said a spokesperson in 2019.
  • “We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access,” the company website stated regarding a 2018 data breach.
  • “I take our customer and prospective customer privacy very seriously. This is no small issue for us,” said then-CEO John Legere in 2015 about a breach affecting customers between 2013 and 2015.

While the most recent breach doesn’t appear to have compromised sensitive customer PII (although more information may come to light), and many companies have experienced data breaches and cybercrime incidents, the sheer repetition of the above statements should give customers pause when they consider the relative safety of their data at one of the country’s largest mobile carriers.