In a new update on Friday, T-Mobile CEO Mike Sievert looked to reassure customers about a recent major data breach of the carrier’s servers, apologizing and providing a bit of information about what happened as well as steps it is taking to avoid future incidents.
The breach involved the theft of personal information for more than 54 million people, including social security numbers, names, phone numbers and addresses for some, but not financial info. Device identifiers and PINs were obtained for certain accounts. Current, former and prospective T-Mobile customers were among those with personal data stolen. Business customers also had information taken.
“Keeping our customers’ data safe is a responsibility we take incredibly seriously and preventing this type of event from happening has always been a top priority of ours. Unfortunately, this time we were not successful,” Sievert said in a Friday blog post, which noted the initial investigation into the breach is winding down.
“Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry,” he continued.
T-Mobile confirmed last week that systems were breached, and a major question has been what happened and if there were shortcomings in T-Mobile’s security practices or systems. Since starting its investigation, T-Mobile has been working with security experts at Mandiant and the carrier has determined how “a bad actor” illegally gained entry to T-Mobile servers. Access points have already been closed off.
Still, Sievert said T-Mobile can’t disclose too many details about exactly what happened, though it continues to coordinate with law enforcement on a criminal investigation.
“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data,” Sievert said. “In short, this individual’s intent was to break in and steal data, and they succeeded.”
He reiterated that T-Mobile is confident there’s no longer a risk to consumers from the breach.
When a report first surfaced from Vice’s Motherboard of a person purporting to sell personal data online that was obtained from T-Mobile servers, the seller claimed to have almost double the number of records (100 million) than what was later verified by T-Mobile.
A Wall Street Journal article on Thursday quoted the hacker taking responsibility for the breach, 21-year old John Binns, as saying T-Mobile’s “security is awful.”
According to the WSJ, Binns found an unprotected router after using a publicly available tool to search weak spots in T-Mobile’s known internet addresses. The access point enabled him to illegally hack into a data center, where he then got access to more than 100 servers via stored credentials and about a week later cracked into the T-Mobile customer data files, Binns told WSJ. The report said it was unclear whether Binns acted alone. The update from T-Mobile’s Sievert today referenced “an individual.”
The Journal reported that Binns is an American who moved to Turkey a few years ago and he claims to have attacked T-Mobile servers, in part, to gain attention.
Addressing security gaps
In today’s update, Sievert worked to alleviate consumer concerns, citing customer outreach efforts and plans to beef up cybersecurity.
“T-Mobile is taking significant steps to enhance our approach to cybersecurity,” Sievert wrote. That includes a new long-term partnership with Mandiant and consulting firm KPMG.
It’s using cybersecurity solutions from Mandiant and KPMG’s cybersecurity team will review all T-Mobile’s security policies and performance to find areas that are lacking.
“We know we need additional expertise to take our cybersecurity efforts to the next level—and we’ve brought in the help,” Sievert said.
He added “Mandiant and KPMG will work side-by-side with our teams to map out definitive actions that will be designed to protect our customers and others from malicious activity now and into the future. I am confident in these partnerships and optimistic about the opportunity they present to help us come out of this terrible event in a much stronger place with improved security measures.”
As of Friday, T-Mobile said it has notified “just about every current T-Mobile customer” or the main account holder that had personal data like addresses and SSNs stolen. The update didn’t mention how many former or prospective customers impacted in the breach have been notified. T-Mobile created a webpage to update customers on the cybersecurity attack and steps to take.
While this isn’t T-Mobile’s first data breach, a number of wireless industry analysts recently told Fierce that they don’t expect long-term impacts for the carrier in terms of retaining customers or attracting switchers.
Mark Lowenstein, analyst and managing director of Mobile Ecosystem, said that transparency will be key for T-Mobile when it comes to the what, why, and how of the breach and what’s being done to prevent future incidents.
“Customers just need to be assured that there is no greater likelihood this would happen on T-Mobile than on other operators,” Lowenstein said.
Since merging with Sprint, T-Mobile is the second-largest U.S. mobile operator, behind Verizon, with about 104.8 million customers as of the second quarter 2021.