T-Mobile US Inc. has disclosed yet-another data breach, its second disclosed breach in 2023, and although this one affected fewer than 1,000 customers versus the 37 million affected in the last breach, it’s the eighth data breach since 2018.

The latest data breach was discovered in March and affected 836 customers. In an April 28 letter to affected customers, first spotted by Bleeping Computer today, T-Mobile described the breach as an unauthorized activity involving a bad actor gaining access to information from a small number of customers between late February and March.

The data stolen included full names, contact information, account numbers and associated phone numbers, T-Mobile account PINs, Social Security numbers, government IDs, dates of birth, balance due and internal codes used by T-Mobile to service customer accounts. No financial account information or call records were affected.

T-Mobile has reset the PINs of customers affected and is also offering them two years of free credit monitoring and identity theft services. There is no mention in the letter of T-Mobile contacting law enforcement or hiring a third-party forensics firm, which is typically seen in these circumstances, but the company probably already has a third-party firm at hand and the latest breach may have just been added to previous investigations.

In its letter, T-Mobile says twice that it takes these issues seriously, although that’s highly subjective given the company’s history of being hacked. To the company’s credit, though, it adds that “while we have a number of safeguards in place to prevent unauthorized access such as this from happening, we recognize that we must continue to make improvements to stay ahead of bad actors.”

It’s another in a long list of T-Mobile data breaches. The previously disclosed breach in January involved the theft of 37 million customer records, including personally identifiable information, that started on or around Nov. 25 and wasn’t detected until Jan. 5.

Previous hacks involving T-Mobile include the theft of the details of 2 million customers in August 2018, a hack involving the theft of prepaid customer data in November 2019, the theft of employee and customer data in March 2021 and the theft of 48 million records in August 2021. Lapsus$ also breached T-Mobile’s internal systems in April 2022.

The breach in August 2021 resulted in T-Mobile agreeing to pay $500 million to settle a class action lawsuit in July. Under the agreement, $350 million went to a settlement fund and $150 million went toward enhancing data security measures.

“This incident highlights the need for smart automation when it comes to containment and remediation of data breaches,” Dror Liwer, co-founder of cybersecurity company Coro Security Ltd., told SiliconANGLE. “T-Mobile put measures in place to alert them of unauthorized activity, but the attacker had access to the data for a month. Should automation have been deployed, that timeframe would have been cut to a fraction.”

Photo: Schwenke/Flickr