(Reuters) – U.S. wireless carrier T-Mobile (TMUS.O) said on Thursday it was investigating a data breach that may have exposed 37 million postpaid and prepaid accounts, and hinted at incurring significant costs related to the incident.
It’s the second major cyberattack in less than two years and comes months after the carrier agreed to upgrade its data security to settle a litigation related to a 2021 incident that compromised information of an estimated 76.6 million people.
The company identified malicious activity on Jan. 5 and contained it within a day, it said, adding no sensitive data such as financial information was exposed.
T-Mobile, however, added that basic customer data – such as name, billing address, email and phone number – was breached and that it had begun notifying impacted customers. The company has more than 110 million subscribers.
A spokesperson for the U.S. Federal Communications Commission (FCC) said the regulator had opened an investigation into the incident.
“Carriers have a unique responsibility to protect customer information. When they fail to do so, we will hold them accountable. This incident is the latest in a string of data breaches at the company, and the FCC is investigating,” the spokesperson said.
T-Mobile declined to comment on the investigation. The company’s shares fell 1% in Friday morning trade.
The news of the incident also drew sharp reaction from analysts.
“While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers,” said Neil Mack, senior analyst for Moody’s Investors Service.
“It could negatively impact customer behavior, cause churn to spike and potentially attract the scrutiny of the FCC and other regulators.”