T-Mobile, the No.3 U.S. wireless carrier by subscribers, said on Thursday it was investigating a data breach involving 37 million postpaid and prepaid accounts and that it could incur significant costs related to the incident.
The company, which has more than 110 million subscribers, said it identified malicious activity on January 5 and contained it within a day, adding that no sensitive data such as financial information was compromised.
However, some basic customer data — such as name, billing address, email and phone number — was obtained, and it had begun notifying impacted customers, said T-Mobile.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” the company said.
The U.S. Federal Communications Commission (FCC) has opened an investigation into the data breach, the Wall Street Journal reported on Thursday, citing an FCC spokesperson.
“While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers,” said Neil Mack, senior analyst for Moody’s Investors Service.
“It could negatively impact customer behavior, cause churn to spike and potentially attract the scrutiny of the FCC and other regulators.”
Last year, T-Mobile agreed to pay $350 million and spend an additional $150 million to upgrade data security to settle litigation over a cyberattack in 2021 that compromised information belonging to an estimated 76.6 million people.
The Bellevue, Washington-based company’s shares fell 2% in after-hours trade.