T-Mobile discloses its second data breach so far this year

T-Mobile has experienced another data breach, reporting that personal information belonging to hundreds of account holders was exposed in an attack between late February and March 2023. The company disclosed in notification letters issued to impacted customers on April 28th that a hacker managed to access information such as full names, dates of birth, addresses, contact information, government IDs, social security numbers, and T-Mobile account pins.

The company has not revealed how the hacker managed to access its systems. According to a data breach notification posted to the Maine attorney general’s office, 836 customers were impacted before T-Mobile discovered the breach on March 27th.

In the disclosure letter (first spotted by Bleeping Computer), T-Mobile claims that no personal financial information or call records were accessed in the breach and says it has proactively reset the account pins of affected users — which customers use to verify their identity in order to make account changes. The company is also offering impacted customers two years of free credit monitoring and identity theft detection services.

“While we have a number of safeguards in place to alert us to unauthorized access such as this from happening, we recognize that we must continue to make improvements to stay ahead of bad actors,” said T-Mobile in the letter to its impacted account holders. “We take these issues seriously. We apologize that this happened and are furthering efforts to enhance security of your information.”

This is now the ninth data breach that T-Mobile has disclosed since 2018, the second breach alone this year after reporting that data from 37 million accounts was leaked between November 2022 and January 2023. The number of impacted users in the latest incident pales in comparison, but the information obtained could be used to facilitate identity theft. Previous breaches have also been reported in January, August, and December of 2021.