T-Mobile US announced it was investigating a cyberattack which compromised the personal data of 37 million customers, warning it could be on the hook for significant expenses as a result.

In a filing with the Securities and Exchange Commission (SEC), T-Mobile stated it identified malicious activity on its systems on 5 January and it believed the attack began on or around 25 November 2022.

The hacker was able to collect customer data by accessing an API without authorisation, the company said.

T-Mobile claimed it stopped the cyberattack within 24 hours of identifying the incident, stating no sensitive data relating to financial information, social security numbers, government identification or payment cards had been compromised.

Data obtained by the hacker includes user’s names, billing addresses, email, phone numbers, date of birth, T-Mobile account number, and information related to service and plan bundles.

In 2022 T-Mobile agreed to pay $350 million to settle a lawsuit related to a breach in 2021 involving more than 100 million customers.

With the company facing another high-profile attack, T-Mobile said it may incur significant expenses, but added it did not currently expect the latest breach would have a material effect on its operations.