January 19, 2023 – (Bellevue, Wash.) – We are currently in the process of informing impacted customers that after a thorough investigation we have determined that a bad actor used a single Application Programming Interface (or API) to obtain limited types of information on their accounts.
As soon as our teams identified the issue, we shut it down within 24 hours. Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances should not be put at risk directly by this event. There is also no evidence that the bad actor breached or compromised T-Mobile’s network or systems.
While no information was obtained for impacted customers that would compromise the safety of customer accounts or finances, we want to be transparent with our customers and ensure they are aware.
No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised. Some basic customer information (nearly all of which is the type widely available in marketing databases or directories) was obtained, including name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features.
We understand that an incident like this has an impact on our customers and regret that this occurred. While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.
This communication includes forward-looking statements within the meaning of the Private Securities Litigation Reform Act of 1995. All statements other than statements of historical fact are forward-looking statements. These forward-looking statements are generally identified by the words “anticipate,” “believe,” “estimate,” “expect,” “intend,” “may,” “could” or similar expressions. Forward-looking statements are based on current expectations and assumptions, which are subject to risks and uncertainties and may cause actual results to differ materially from the forward-looking statements. In particular, the preliminary nature of our investigation into this cyber incident, which is still ongoing, may uncover additional facts presently not known to us, which may cause us to reassess the impacts and scope of the cyber incident on our customers and on the Company’s business and operations. Further, our ability to fully assess and remedy the cybersecurity incident, and the legal, reputational and financial risks resulting from this or other cyber incidents, could also cause our results to differ materially from the forward-looking statements made above. Other important factors that could affect future results and cause those results to differ materially from those expressed in the forward-looking statements include, among others, the following: natural disasters, public health crises, including adverse impact caused by the COVID-19 pandemic; competition, industry consolidation and changes in the market for wireless services; disruption, data loss or other security breaches, such as the criminal cyberattack we became aware of in August 2021 and including risks related to the cybersecurity incident discussed above; our inability to take advantage of technological developments on a timely basis; our inability to retain or motivate key personnel, hire qualified personnel or maintain our corporate culture; system failures and business disruptions, allowing for unauthorized use of or interference with our network and other systems; the scarcity and cost of additional wireless spectrum, and regulations relating to spectrum use; the impacts of the actions we have taken and conditions we have agreed to in connection with the regulatory proceedings and approvals of the Transactions (as defined below), including the acquisition by DISH Network Corporation (“DISH”) of the prepaid wireless business operated under the Boost Mobile and Sprint prepaid brands (excluding the Assurance brand Lifeline customers and the prepaid wireless customers of Shentel and Swiftel Communications, Inc.), including customer accounts, inventory, contracts, intellectual property and certain other specified assets (the “Prepaid Business”), and the assumption of certain related liabilities (collectively, the “Prepaid Transaction”), the complaint and proposed final judgment (the “Consent Decree”) agreed to by us, Deutsche Telekom AG (“DT”), Sprint Corporation, now known as Sprint LLC (“Sprint”), SoftBank Group Corp. (“SoftBank”) and DISH with the U.S. District Court for the District of Columbia, which was approved by the Court on April 1, 2020, the proposed commitments filed with the Secretary of the Federal Communications Commission (“FCC”), which we announced on May 20, 2019, certain national security commitments and undertakings, and any other commitments or undertakings entered into, including but not limited to, those we have made to certain states and nongovernmental organizations (collectively, the “Government Commitments”), and the challenges in satisfying the Government Commitments in the required time frames and the significant cumulative costs incurred in tracking and monitoring compliance; adverse economic, political or market conditions in the U.S. and international markets, including those caused by the COVID-19 pandemic; our inability to manage the ongoing commercial and transition services arrangements entered into in connection with the Prepaid Transaction, and known or unknown liabilities arising in connection therewith; the timing and effects of any future acquisition, disposition, investment, or merger involving us; any disruption or failure of our third parties (including key suppliers) to provide products or services for the operation of our business; our substantial level of indebtedness and our inability to service our debt obligations in accordance with their terms or to comply with the restrictive covenants contained therein; changes in the credit market conditions, credit rating downgrades or an inability to access debt markets; restrictive covenants including the agreements governing our indebtedness and other financings; the risk of future material weaknesses we may identify while we continue to work to integrate the two companies following the Transactions, or any other failure by us to maintain effective internal controls, and the resulting significant costs and reputational damage; any changes in regulations or in the regulatory framework under which we operate; laws and regulations relating to the handling of privacy and data protection; unfavorable outcomes and increased costs from existing or future legal proceedings, including these proceedings and inquiries relating to the criminal cyberattack we became aware of in August 2021; the possibility that we may be unable to adequately protect our intellectual property rights or be accused of infringing the intellectual property rights of others; our offering of regulated financial services products and exposure to a wide variety of state and federal regulations; new or amended tax laws or regulations or administrative interpretations and judicial decisions affecting the scope or application of tax laws or regulations; our exclusive forum provision as provided in our Certificate of Incorporation; interests of our significant stockholders that may differ from the interests of other stockholders; future sales of our common stock by DT and SoftBank and our inability to attract additional equity financing outside the United States due to foreign ownership limitations by the FCC; our stock repurchase program may not be fully consummated, and may not enhance long-term stockholder value; failure to realize the expected benefits and synergies of the merger with Sprint, pursuant to the Business Combination Agreement with Sprint and the other parties named therein (as amended, the “Business Combination Agreement”) and the other transactions contemplated by the Business Combination Agreement (collectively, the “Transactions”) in the expected time frames or in the amounts anticipated; any delay and costs of, or difficulties in, integrating our business and Sprint's business and operations, and unexpected additional operating costs, customer loss and business disruptions, including challenges in maintaining relationships with employees, customers, suppliers or vendors; unanticipated difficulties, disruption, or significant delays in our long-term strategy to migrate Sprint's legacy customers onto T-Mobile's existing billing platforms; and other risks as disclosed in our most recent annual report on Form 10-K, 10-Q and other filings with the Securities and Exchange Commission. Given these risks and uncertainties, readers are cautioned not to place undue reliance on such forward-looking statements. We undertake no obligation to revise or publicly release the results of any revision to these forward-looking statements, except as required by law.