“To be hacked twice in the span of a bit over a year is pretty egregious,” Mauricio Sanchez of Dell’Oro Group, a telecoms research firm, tells Cybersecurity Dive.

The nation’s second-largest wireless carrier said in an SEC filing that a threat actor compromised the records of 37 million customers in a breach discovered January 5.

The incident was the second massive data breach for T-Mobile in less than 18 months and the fifth publicly confirmed cybersecurity incident in three years. It comes six months after the company agreed to pay $500 million to settle a class action lawsuit over the previous mega-breach, in August 2021, which affected 77 million people.

"Five breaches in five years,” Chester Wisniewski, field chief technical officer of applied research at the security firm Sophos, noted to CNET. “People can decide for themselves if they want to stick with T-Mobile.” Wisniewski observes to Wired that the hackers had access to T-Mobile’s networks for more than a month, which he said indicates the company did not use “modern security monitoring and threat hunting teams.”

Jake Williams, an analyst at the Institute for Applied Network Security, was similarly blunt. “How many of these does T-Mobile have to have?” the longtime incident responder muses to Wired. “The bottom line is that T-Mobile’s API security clearly needs work.”

T-Mobile’s disclosure that its latest breach resulted from unauthorized use of an API has led experts to emphasize the urgency of API security, as SC Media reports. Ilia Kolochenko, founder of IT security company ImmuniWeb, tells the news service, “Unprotected APIs are rapidly becoming one of the primary sources of disastrous data breaches.”