Telecom player T-Mobile US has suffered a cybersecurity incident that resulted in the exposure of personal details of 37 million users, the company reported in a filing to the US Securities and Exchange Commission on Thursday.  Customer data such as customer name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features were exposed, the company revealed.  However, T-Mobile in a statement insisted that customer payment card information (PCI), social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information were not exposed, it .  Data obtained through a single API  T-Mobile said it found that a bad actor had obtained data through a single Application Programming Interface (API) without authorization on January 5. However, the company said the bad actor first retrieved data through the impacted API starting on or around November 25, 2022.  There was an investigation conducted by external cybersecurity experts and within a day of identifying the malicious activity, the source was traced, and the activity was stopped.  “Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” T-Mobile said.  The company said it has notified certain federal agencies about the incident and is concurrently working with law enforcement.

Read full article on CSO Online