T-Mobile USA Inc. has suffered another data breach following an attack on its email vendor with customer and employee information stolen.

The breach was disclosed Wednesday by T-Mobile to customers. Although the company didn’t provide hard numbers, it involves unauthorized access to certain T-Mobile employee email accounts, some of which contained account information for T-Mobile customers and employees.

Data stolen includes customer names and addresses, phone numbers, account numbers, rate plans and features, and billing information. Financial information and Social Security numbers were not affected.

T-Mobile said none of the information stolen has been used to commit fraud or misused in any way. The company advised users to review their accounts and update passwords to be on the safe side. In addition, affected customers are also being offered a free two-year subscription to an online credit monitoring service, a fairly typical offer following data breaches.

This is the second data breach for T-Mobile in the last six months. Two million customer records were stolen from the company following a hack that targeted an application programming interface linked to its customer website in November.

It’s notable that the data was stolen by compromising a third-party vendor. Wade Wooline, principal security researcher at security firm Rapid7 Inc., told SiliconANGLE that when organizations consider outsourcing traditional enterprise information technology services such as like email, special considerations need to be made for threat monitoring.

“Not only must the outsourced service or technology integrate with your existing logging and monitoring initiatives, but you may need to consider a new set of attack vectors to monitor for,” Wooline said. “In the case of outsourcing email to a SaaS provider, adding a layer of user behavior analytics to detect brute force attacks, authentications from unusual geographies, and simultaneous authentications from different geographies will address some of the new threats you might experience in the transition.”

Peter Goldstein, chief technology officer and co-founder of email security company Valimail Inc., noted that in an era when business email compromise attacks are proving to be a highly popular and effective attack method, these types of incidents are becoming far too common.

“T-Mobile’s breach is a clear example of how hackers can obtain a wealth of sensitive information just by compromising email accounts,” he said. “With access to a plethora of personal data on past and current customers and employees, hackers can potentially trade this data for profit in dark web marketplaces, or use it to commit account takeover, identity theft or other scams.”

Ilia Kolochenko, founder and chief executive officer of web security company ImmuniWeb, said that in light of the obscure circumstances and clouded scope of the reported breach, it would be premature to assess the overall damage or speculate about the eventual consequences, though he said T-Mobile’s public response seems to be adequate.

“This does not shield T-Mobile from individual lawsuits and class actions from the victims, but will likely minimize any penalties that regulators may impose,” he said. “The victims will likely have to prove negligence or another relatively complicated legal basis to successfully sue, and most importantly, will have to establish their damages or seek an applicable statute that may quantify compensation.”

Photo: T-Mobile