In 2019, Motherboard/Vice revealed that AT&T was selling real-time customer location data through a chain of intermediaries that ended up in the hands of bounty hunters and stalkers. For as little as $300, anyone could locate any AT&T phone in America. A reporter paid a bounty hunter who found a phone's location within minutes. AT&T had promised the FCC in 2018 it would stop — then kept doing it.

From 2012 to 2016, Verizon injected an invisible, undeletable tracking header (UIDH "supercookie") into every HTTP request made by its mobile customers. Customers could not remove it, opt out of it, or even detect it without technical expertise. Third-party advertisers like Turn used it to rebuild tracking profiles even after customers cleared their cookies. The FCC fined Verizon $1.35 million.

Security researchers who examined the breach quickly determined it was caused by an unsecured API endpoint that required no authentication. The API was publicly accessible on the internet -- no password, no token, no authentication of any kind. Attackers could query the API and receive customer records including passport numbers, driver's licence numbers, Medicare numbers, dates of birth, home addresses, and email addresses for 9.8 million current and former customers. The alleged attacker was reported to be a 19-year-old in Sydney. There was nothing sophisticated about the attack. Optus left a door open on the internet with no lock, and someone walked through it. Calling an unsecured API a "sophisticated cyberattack" was a public relations strategy, not a technical assessment. The Australian government was so outraged by the breach that it passed the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022, increasing maximum penalties from $2.2 million to $50 million.

T-Mobile has been breached at least 9 times since 2018 -- the most serially breached major company in America. August 2021: 77 million customers' data exposed, including Social Security numbers, driver's license numbers, names, addresses, and dates of birth. January 2023: 37 million customers' names, addresses, and phone numbers stolen through an exploited API for over two months before detection. Additional incidents in 2018, 2019, 2020, 2022, and 2023. The $350 million class action settlement (2022) was the direct result of the 2021 breach. T-Mobile's CEO apologised after each breach, promised to invest in security, and was breached again. Nine breaches in six years. Each time, "we take security seriously." Each time, another breach. The Un-carrier treats customer data like a revolving door.

In 2022, the OAIC investigated Telstra Health (formerly Argus) after it was revealed the subsidiary had shared My Health Record data with law enforcement without proper authorisation. The OAIC found failures in data handling practices for one of Australia's most sensitive health databases.

In February 2026, hackers breached Odido — the Netherlands' largest mobile operator — stealing data on 6.2 million of its 7 million customers. That is approximately one-third of the entire Dutch population. Exposed data included names, phone numbers, emails, dates of birth, IBANs (bank account numbers), and passport/driver's licence numbers. A class-action lawsuit was filed. Odido was formerly T-Mobile Netherlands before rebranding in 2023. One telecom breach exposed the bank details and identity documents of a third of a country.

In 2011, a major Vodafone Australia data breach was exposed when it was revealed that dealer staff could access detailed customer records including names, addresses, dates of birth, credit card numbers, and call records through an insecure web portal. Hundreds of dealer employees had access to millions of customers' complete records with minimal security controls.