(Reuters) -T-Mobile, the No.3 U.S. wireless carrier by subscribers, said on Thursday it was investigating a data breach involving 37 million postpaid and prepaid accounts and that it could incur significant costs related to the incident.
The company, which has more than 110 million subscribers, said it identified malicious activity on Jan. 5 and contained it within a day, adding that no sensitive data such as financial information was compromised.
However, some basic customer data — such as name, billing address, email and phone number — was obtained, and it had begun notifying impacted customers, said T-Mobile.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” the company said.
The U.S. Federal Communications Commission (FCC) has opened an investigation into the data breach, the Wall Street Journal reported on Thursday, citing an FCC spokesperson.
FCC and T-Mobile did not immediately respond to Reuters’ requests for comment on the reported investigation.
“While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers,” said Neil Mack, senior analyst for Moody’s Investors Service.
“It could negatively impact customer behavior, cause churn to spike and potentially attract the scrutiny of the FCC and other regulators.”
Last year, T-Mobile agreed to pay $350 million and spend an additional $150 million to upgrade data security to settle litigation over a cyberattack in 2021 that compromised information belonging to an estimated 76.6 million people.
The Bellevue, Washington-based company’s shares fell 2% in after-hours trade.
(Reporting by Eva Mathews and Lavanya Ahire in Bengaluru; Editing by Sriraj Kalluvila, Maju Samuel, Rashmi Aich and Savio D’Souza)