Item 8.01 — Other Events.
On January 5, 2023, T-Mobile US, Inc. (the “Company,” “we,” or “our”) identified that a bad actor was obtaining data through a single Application Programming Interface (“API”) without authorization. We promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it. Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network.
Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, based on our investigation to date, customer accounts and finances were not put at risk directly by this event. The API abused by the bad actor does not provide access to any customer payment card information (PCI), social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information, so none of this information was exposed. Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features. The preliminary result from our investigation indicates that the bad actor(s) obtained data from this API for approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set.
We currently believe that the bad actor first retrieved data through the impacted API starting on or around November 25, 2022. We are continuing to diligently investigate the unauthorized activity. In addition, we have notified certain federal agencies about the incident, and we are concurrently working with law enforcement. Additionally, we have begun notifying customers whose information may have been obtained by the bad actor in accordance with applicable state and federal requirements.
As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity. We have made substantial progress to date, and protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cybersecurity program.
We may incur significant expenses in connection with this incident.
Although we are unable to predict the full impact of this incident on customer behavior in the future, including whether a change in our customers’ behavior could negatively impact our results of operations on an ongoing basis, we presently do not expect that it will have a material effect on the Company’s operations.
Forward-Looking Statements
This Current Report on Form 8-K includes forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. All statements other than statements of historical fact are forward-looking statements. These forward-looking statements are generally identified by the words “anticipate,” “believe,” “estimate,” “expect,” “intend,” “may,” “could” or similar expressions. Forward-looking statements are based on current expectations and assumptions, which are subject to risks and uncertainties and may cause actual results to differ materially from the forward-looking statements. In particular, the preliminary nature of our investigation into this cyber incident, which is still ongoing, may uncover additional facts presently not known to us, which may cause us to reassess the impacts and scope of the cyber incident on our customers and on the Company’s business and operations. Further, our ability to fully assess and remedy the cybersecurity incident, and the legal, reputational and financial risks resulting from this or other cyber incidents, could also cause our results to differ materially from the forward-looking statements made above. Other important factors that could affect future results and cause those results to differ materially from those expressed in the forward-looking statements include, among others, the following: natural disasters, public health crises, including adverse impact caused by the COVID-19 pandemic; competition, industry consolidation and changes in the market for wireless services; disruption, data loss or other security breaches, such as the criminal cyberattack we became aware of in August 2021 and including risks related to the cybersecurity incident discussed above; our inability to take advantage of technological developments on a timely basis; our inability to retain or motivate key personnel, hire qualified personnel or maintain our corporate culture; system failures and business disruptions, allowing for unauthorized use of or interference with our network