T-Mobile
US Inc. said it suffered an intrusion into a company database and was investigating the extent of the breach, after personal data on some of its wireless subscribers was found for sale on the web.

The company, which has more than 100 million subscribers, said Monday that “unauthorized access to some T-Mobile data occurred” but that it hadn’t determined whether personal information was involved.

“We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” the company said. “This investigation will take some time but we are working with the highest degree of urgency.”

The data breach, reported earlier by Vice’s Motherboard tech news website, was said to cover customers’ names, addresses, Social Security numbers and drivers-license details.

As of June, T-Mobile served about 84 million connections, including cellphones, mobile hotspots and other devices, through more than 26 million postpaid accounts. Cellphone carriers typically run a credit check on customers with postpaid plans, which bill subscribers for service after it is rendered. T-Mobile and its Metro brand serve another 21 million connections under prepaid voice and data plans that don’t require a credit check.

The Bellevue, Wash., company became the country’s second-largest wireless network operator last year after it closed its takeover of rival Sprint Corp. The carrier has quickly expanded its national footprint by adding stores in rural areas and upgrading its cellular equipment to support ultrafast fifth-generation, or 5G, service.

Safeguarding customer information has often challenged U.S. cellphone carriers, which collectively serve hundreds of millions of users. The Federal Communications Commission last year put four cellphone carriers on notice about their potential liability for mishandling customer location information. T-Mobile said it would dispute the U.S. regulator’s proposed penalty in that matter.

T-Mobile has dealt with other data leaks affecting subsets of its customer base. The company in 2015 said a breach at credit-reporting company
Experian
PLC leaked information on roughly 15 million of its subscribers.

In 2020, the company said it shut down an attack that had gathered some customer and employee information through a corporate email system.

Later that year, a second breach allowed hackers to steal some customers’ personal information.

Write to Drew FitzGerald at andrew.fitzgerald@wsj.com