Mobile virtual network operator (MVNO) Google Fi has reported a breach connected to a third-party system containing "a limited amount" of Google Fi customer data.
The tech giant made the announcement in an email to customers earlier today, confirming the stolen data includes information about when an account was activated, data about individual mobile service plans, SIM card serial numbers and active or inactive account status.
"It does not contain your name, date of birth, email address, payment card information, social security number or tax IDs, driver's license or other form of government ID, or financial account information, passwords or PINs that you may use for Google Fi or the contents of any SMS messages or calls," reads the email seen by Infosecurity.
Further, Google told affected customers that its Fi incident response team conducted an investigation and concluded that unauthorized access occurred.
"[We] have worked with our primary network provider to identify and implement measures to secure the data on that third-party system and notify everyone potentially impacted."
Google Fi has not confirmed the network provider behind the breach, but the company uses a combination of T-Mobile and US Cellular for network connectivity.
T-Mobile, in turn, revealed a separate breach roughly two weeks ago, which resulted in tens of millions of customers having their information accessed by a malicious actor via an API.
"This is another example of where subcontracting services to others can result in problems for the main organization," said Erich Kron, security awareness advocate at KnowBe4.
"While this practice is fairly common when issues arise, the results can still be significant. Given the history of breaches related to T-Mobile, it would have been wise for Google to require additional and more stringent security measures than perhaps T-Mobile currently has in place."
More generally, Kron told Infosecurity in an email that breaches concerning cellular networks can be particularly perilous, as many people protect financial information using multi-factor authentication (MFA) through them.
"If bad actors are able to SIM swap or receive these messages in place of the user, it can render the protection otherwise provided by MFA useless," the security expert explained.
"Security measures should be reviewed on a regular basis, and consideration, up to and including termination of contracts, must be made when a subcontractor fails to protect your data."