T-Mobile US Inc. has disclosed yet-another data breach, with the latest breach compromising data belonging to 37 million customers.

In a filing today with the U.S. Security and Exchange Commission, T-Mobile said a bad actor first retrieved data through an application programming interface on or around Nov. 25. The breach wasn’t detected until Jan. 5, and the company cut off access to the API one day later.

Information stolen included names, billing addresses, email addresses, phone numbers and dates of birth. Customer payment card information, Social Security numbers, IDs, passwords and other account data were not accessed by the bad actor.

T-Mobile covered the standard responses in relation to a breach, hiring third-party cybersecurity experts, informing law enforcement and notifying customers. The only thing seemingly missing is an offer of free credit monitoring to affected customers.

“As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity,” T-Mobile said in its filing. “We have made substantial progress to date, and protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cybersecurity program.”

Unfortunately for T-Mobile customers, the “substantial progress to date” does not include preventing data breaches from happening.

The latest breach could have a big financial impact on the company, according to Neil Mack, vice president and senior analyst for Moody’s Investors Service, who called it “credit negative. “It raises questions about the company’s cyber risk governance and management practices,” he told SiliconANGLE. “While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers, and it could negatively impact customer behavior, cause churn to spike and potentially attract the scrutiny of the FCC and other regulators.”

Things that are certain in life are death, taxes and T-Mobile data being stolen. Depending on the source, the company has suffered about a half-dozen breaches since 2018, although Bleeping Computer puts the figure at eight.

Previous hacks involving T-Mobile include the theft of the details of 2 million customers in August 2018, a hack involving the theft of prepaid customer data in November 2019, the theft of employee and customer data in March 2021 and the theft of 48 million records in August 2021.

The August 2021 breach resulted in T-Mobile agreeing to pay $500 million to settle a class action lawsuit in July. Under the agreement, $350 million went to a settlement fund and $150 million went toward enhancing data security measures.

Image: T-Mobile