Mike Sievert, CEO of T-Mobile, is in a spot of bother after a major data breach of the carrier’s servers. In a statement issued last week, he apologized for a data breach but also tried to paint a rosy picture of the data breach by claiming no financial details were stolen but confirmed that millions of social security numbers were compromised.
The attack on the carrier’s servers impacted more than 54 million current, former and prospective users. Leaked data included social security numbers, names, contact numbers, driver’s license information, IMEI and IMSI information, and addresses for some, but not financial details. Meanwhile, device identifiers and PINs were obtained for certain accounts.
“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data. In short, this individual’s intent was to break in and steal data, and they succeeded,” Seivert stated.
Hacker John Binns, a US citizen living in Turkey, has taken credit for the attack, calling the carrier's security practices "awful." Binns has reportedly been scanning T-Mobile's systems for vulnerabilities since last summer, and finally discovered a vulnerable internet-exposed router in July, which provided access to T-Mobile servers in a data center near East Wenatchee, Washington state. He claimed it took him roughly a week to breach the servers storing customer data.
The hacker said he targeted T-Mobile servers to grab the attention of the world. Last year, he filed a lawsuit against several US government agencies including the CIA and FBI, claiming that he had been blackmailed, surveilled, and tortured.
T-Mobile became one of the country’s largest cellphone service carriers, along with AT&T and Verizon, after buying rival Sprint last year. It reported having a total of 102.1 million U.S. customers after the merger.
T-Mobile has previously disclosed a number of data breaches over the past years, and it doesn’t seem to have learned from those incidents, something that has been mentioned in the lawsuits filed against the carrier as a result of the latest breach.
Sievert said the company has collaborated with cybersecurity firms Mandiant and KPMG LLG to strengthen security. He also apologized to the affected users for the data breach and announced that the company will offer impacted individuals two years of free identity protection services as promised to take steps to prevent these types of incidents in the future.
