← All breach guides

T-Mobile data breaches — exercise your GDPR rights

T-Mobile has suffered a series of serious data breaches, most notably in 2021 — when attackers accessed records of over 76 million people, including Social Security numbers and driver's licence data for more than 54 million — and in 2023, when an API vulnerability exposed data on 37 million current customers. EU and UK residents who use T-Mobile services may invoke GDPR rights.

⚖️ Regulatory action: T-Mobile reached a US$15.75 million FCC settlement in September 2024 covering the 2021–2023 breaches. No formal EU GDPR fine has been issued, but the breaches affect EU residents and GDPR requests remain valid.

What happened

2021 76.6 million people (54M with SSNs/IDs exposed) affected

An attacker exploited an unprotected router to reach T-Mobile's internal systems, then used brute-force techniques to access customer records. Over 76 million people were affected; more than 54 million had highly sensitive data stolen including Social Security numbers, dates of birth, and driver's licence numbers. T-Mobile agreed a US$500 million settlement, including US$350 million for affected customers.

Data exposed:
  • Full names
  • Dates of birth
  • Social Security numbers
  • Driver's licence / ID numbers
  • Phone numbers
  • IMEI numbers
  • Account PINs (prepaid customers)
2023 37 million customers affected

Attackers exploited a vulnerability in T-Mobile's API from approximately November 2022 until discovery in January 2023. The API allowed unauthorised access to basic customer account data across 37 million accounts — one of the largest API-related breaches on record.

Data exposed:
  • Full names
  • Phone numbers
  • Billing addresses
  • Email addresses
  • Account type and plan information
  • Dates of birth

What you can do

If you are a T-Mobile customer or have used T-Mobile services, T-Mobile may hold personal data about you. A GDPR subject access request establishes what data they process, whether it was caught in either breach, and your rights to deletion.

You have two key rights under GDPR:

Note: T-Mobile US, Inc. is the primary controller. EU residents may also have claims against Deutsche Telekom Group subsidiaries. Submit privacy requests via T-Mobile's privacy portal. Privacy portal ↗

Generate your access request

This letter is pre-addressed to T-Mobile USA, Inc., the official EU data controller for T-Mobile.

To: T-Mobile USA, Inc.
12920 SE 38th Street, Bellevue, WA 98006, USA

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

Share: