Governance & Risk Management , Incident & Breach Response , IT Risk Management
T-Mobile CEO Apologizes for Mega-Breach, Offers UpdateHacker Claiming Responsibility for Attack Calls Company's Security 'Awful'
T-Mobile CEO Mike Sievert on Friday issued an official mea culpa for the data breach that exposed information on 54 million of the company's customers and prospects and offered a sketchy update on the results of an investigation.
On Thursday, the Wall Street Journal reported that someone claiming to be the hacker behind the Aug. 15 attack called T-Mobile's cybersecurity "awful."
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Sievert said in his 1,200-word statement: "To say we are disappointed and frustrated that this happened is an understatement. Keeping our customers' data safe is a responsibility we take incredibly seriously, and preventing this type of event from happening has always been a top priority of ours. Unfortunately, this time we were not successful."
Sievert said T-Mobile has notified all those affected. He said an investigation is ongoing, and he declined to offer any specifics on how the attack transpired.
"What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data," Siever said.
Reuters reported on Aug. 18 that the Federal Communications Commission is investigating the T-Mobile breach.
A Hacker's Tale
The person claiming responsibility for the attack told the Wall Street Journal how he allegedly conducted it.
In a series of Telegram exchanges with the news organization, John Binns, a 21-year-old American now living in Turkey, said he found an unprotected T-Mobile router by scanning known T-Mobile internet addresses and looking for a weak spot in July, the Journal reports.
The entry point Binns found led into a data center in Wisconsin, from which he obtained access to more than 100 servers, allowing him to start exfiltrating data on Aug. 4, according to the newspaper report.
Binns claims he conducted the attack more for glory than money, but he would not tell the Journal whether he sold any of the stolen data.
T-Mobile has not responded to a request for comment on Binns' claims.
In his statement, Sievert said T-Mobile acknowledged the attack on Aug. 17. He did not indicate exactly how many customers were affected, but he said that data compromised was from millions of "customers, former customers and prospective customers."
He said that while financial information was not exposed, names, addresses, dates of birth and driver's license and other personal identification information was compromised, along with some Social Security numbers.
On Aug. 20, T-Mobile confirmed 14 million prepaid and postpaid customers had their information stolen. Also stolen were 40 million credit applications from former customers and prospects.
T-Mobile is offering those affected two years of prepaid identity protection services with McAfee's ID Theft Protection Service. It's also recommending that customers sign up for T-Mobile’s free scam-blocking protection through Scam Shield. And it's making account takeover protection available for postpaid customers.
The August breach is the fourth the company has endured in the last three years.
In December 2020 the cellphone carrier reported about 0.2%, or around 200,000, of its mobile customers, had their phone numbers, number of lines subscribed to and, in a small number of cases, some call-related information exposed.
In November 2019, T-Mobile suffered a breach of prepaid accounts as a result of unauthorized access to its systems; some 1 million customers were affected.
And in August 2018, the company reported that a cyberattack against a database may have exposed personal data for 2.3 million of its 77 million customers.