(CNN) — T-Mobile said a “bad actor” accessed personal data from 37 million current customers in a November data breach.
In a regulatory filing Thursday, the company said the hacker stole customer data that included names, billing addresses, emails, phone numbers, dates of birth, T-Mobile account numbers and information describing the kind of service they have with the wireless carrier. T-Mobile said no social security numbers, credit card information, government ID numbers, passwords, PINs or financial information were exposed in the hack.
Nevertheless, that information can be compiled with other stolen or publicly available information and used by scammers to steal people’s identities or money. T-Mobile said it is working with law enforcement and has begun to notify customers whose information may have been breached.
The wireless carrier didn’t indicate what it might do to remedy the situation. It noted that it could be on the hook for “significant expenses” because of the hack, although the company said it doesn’t expect the charges will have a material effect on T-Mobile’s bottom line.
After T-Mobile learned about the data breach, the company said it hired an external cybersecurity team to investigate. T-Mobile was able to discover the source of the breach and stop it a day after the hack was discovered. The company says it continues to investigate the breach but believes it is “fully contained.” It also noted T-Mobile’s systems and network do not appear to have been hacked.
“Protecting our customers’ data remains a top priority,” T-Mobile said in a statement. “We will continue to make substantial investments to strengthen our cybersecurity program.”
The company noted that it began a “substantial, multi-year investment” in 2021 to improve its cybersecurity capabilities and protections.