Mobile telecommunication company T-Mobile, which is the second largest mobile carrier in the US, reported in a regulatory filing on Thursday that a “bad actor” had managed to access and get away with the personal data of multiple customers.

In the financial filing, the company revealed that the hacker had obtained “limited types of information” that belonged to no less than 37 million customers. The stolen customer data included their names, billing addresses, emails, phone numbers, and dates of birth. Additionally, the hacker stole their T-Mobile account numbers and information that described the kind of service they have with the wireless carrier.

According to T-Mobile, the affected accounts comprised of both post-paid and pre-paid customer accounts, which were compromised after the hacker accessed them through one of the telecom giant’s Application Programming Interfaces (APIs). The company’s stock dropped after the development was revealed, dropping by nearly 1.5% in after-hours trading. It is currently priced at $145.14 per share.

Surprisingly, this development is not a recent one, and the hacker continued to have access to customer data since November 25. T-Mobile remained unaware of the situation until much later, and once it detected the breach earlier this year – on January 5 – and reacted by shutting down the hacker’s access to its systems and the data within the space of a day. The firm claimed that system fallbacks in place “prevented the most sensitive types of customer information from being accessed.”

The company informed that the compromised data did not include passwords, payment card information, social security numbers, government ID numbers, or other financial account information. Furthermore, it added that there was no evidence that the hacker breached or compromised T-Mobile’s network or systems (instead, the hacker quietly piggybacked off one of the APIs of the mobile telecommunications firm). T-Mobile refrained from sharing how its API was exploited.

The incident has been reported to US federal agencies, and the company is now working with law enforcement to investigate the breach. It is also notifying customers who might have had their sensitive personal information stolen.

“We understand that an incident like this has an impact on our customers and regret that this occurred. While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program,” the company said in an official statement. It is evident that its current investments in its cybersecurity system have fallen short of the mark in protecting the data of its customers, especially since this is the eighth time T-Mobile suffered a hack since 2018. A previous hack saw the personal information of over 54 million customers stolen in a ransomware attack, where they managed to access Social Security numbers and information from driver’s licenses.