T-Mobile US today said someone abused an API to download the personal information of 37 million subscribers.
A regulatory filing [PDF] disclosed one or more miscreants were able to access potentially the “name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features” of each affected customer.
Passwords, payment details, and other sensitive information was not obtained, we’re told. The stolen data covers “current postpaid and prepaid customer accounts.”
A T-Mo statement on Thursday explained the carrier has started informing people their personal data was accessed, and offered the opinion that “customer accounts and finances should not be put at risk directly by this event.”
Note the use of “directly” – an apparent acknowledgement that the siphoned records can be used as the basis for phishing, identity theft, and the like, meaning pain could be felt weeks or months after folks are warned of the security fiasco.
The press statement described the stolen data as “basic” and “nearly all of which is the type widely available in marketing databases or directories.” Oh, so that’s OK, then. No need to really worry about data security. Your personal info is already out there, everywhere, anyway. Thanks to companies like T-Mobile US, of course.
The SEC filing, meanwhile, added the carrier spotted “a bad actor was obtaining data through a single Application Programming Interface (API) without authorization” on January 5, 2023. Subsequent investigations led