T-Mobile CEO Mike Sievert today released a letter to the carrier’s customers apologizing for the recent data breach that revealed the personal information of more than 50 million current, former, and prospective T-Mobile users.
Data revealed included names, phone numbers, addresses, birth dates, social security numbers, driver’s license and ID info, IMEI numbers, and IMSI numbers. The stolen information has been offered for sale.
“We didn’t live up to the expectations we have for ourselves to protect our customers,” wrote Sievert. “Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry.”
“To say we are disappointed and frustrated that this happened is an understatement. Keeping our customers’ data safe is a responsibility we take incredibly seriously and preventing this type of event from happening has always been a top priority of ours. Unfortunately, this time we were not successful.”
John Binns, a 21-year-old American who moved to Turkey a few years ago, claims he was behind the security breach. Binns says he discovered an unprotected router in July after scanning T-Mobile’s known internet addresses for weak spots.
Binns then used the router to access T-Mobile’s data center located in Washington, where he says stored credentials provided him access to over 100 servers. He initially panicked because he recognized that he “had access to something big,” later saying that T-Mobile’s “security is awful.”
Sievert said that T-Mobile is coordinating with law enforcement on a criminal investigation, and that the company is unable to disclose specific details at this time.
“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.”
As of today, T-Mobile has notified just about every current customer or primary account holder who had data such as name and current address, social security number, or government ID number compromised. T-Mobile customers or primary account holders T-Mobile does not believe had that data impacted will now see a banner on their MyT-Mobile.com account login page letting them know. The carrier is also now working to notify former and prospective customers.
T-Mobile has published a web page where it is:
- Offering two years of free identity protection services with McAfee’s ID Theft Protection Service to all persons who may have been affected
- Recommending customers sign up for T-Mobile’s free scam-blocking protection through Scam Shield
- Making Account Takeover Protection available for postpaid customers, which makes it more difficult for customer accounts to be fraudulently ported out and stolen
- Suggesting other best practices and practical security steps like resetting PINs and passwords for all customers.