More than 40 million T-Mobile customers have been hit by a US data breach, the company has admitted. It blamed the breach on a “highly sophisticated cyberattack”. It said it is “taking immediate steps to help protect all of the individuals who may be at risk from this cyberattack”.
The firm said that while criminals stole personal information, no financial details were leaked as a result. The breach only came to light following online reports last weekend that criminals were attempting to sell a large database containing T-Mobile customer data online.
The US telecom giant confirmed that hackers had gained access to its systems on Monday. .
“Late last week we were informed of claims made in an online forum that a bad actor had compromised T-Mobile systems,” it said.
“We immediately began an exhaustive investigation into these claims and brought in world-leading cybersecurity experts to help with our assessment.
“We then located and immediately closed the access point that we believe was used to illegally gain entry to our servers.”
The company said its investigations identified approximately 7.8 million current T-Mobile postpaid customer accounts’ information in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile.
It said that approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed but that it had reset all of the PINs on the accounts to protect customers.
It added that no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of the files of customers or prospective customers.
“We take our customers’ protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack,” the company said.
“While our investigation is ongoing, we wanted to share these initial findings even as we may learn additional facts through our investigation that cause the details above to change or evolve.”
Hackers previously stole the personal information of 15 million T-Mobile customers and potential customers in the US in 2015.
There is no indication yet that former UK customers of T-Mobile have been hit by the data breach.
The company’s UK operation T-Mobile UK was rebranded as EE in 2012 and sold to BT in 2016 for more than £12bn.