T-Mobile US said a cyberattack earlier this month that exposed millions of customer records was carried out using specialized tools to gain entry to the network, followed by brute force-style hacking techniques to access user data.
“In short, this individual’s intent was to break in and steal data, and they succeeded,” Chief Executive Officer Mike Sievert said Friday in a statement, the company’s fullest account yet of what happened. The company has hired cybersecurity provider Mandiant Corp. and consulting firm KPMG to improve its defenses, he said.
The breach, the fourth that has compromised T-Mobile customer records in as many years, involved personal information including names, dates of birth, Social Security numbers and driver’s license information. Sievert said the company is working with law enforcement and can’t share further details of what happened.
The theft involved the records of more than 13 million current customers, along with more than 40 million prospective customers who had applied for credit with the company, and 667,000 former customers, according to a company statement last week. An additional 902,000 prepaid customers also had some data exposed.
“The sheer number of massive data breaches is a clear sign that something’s not right in the land of magenta,” said Tammy Parker, an analyst with GlobalData, referring to the T-Mobile brand’s signature color.
T-Mobile shares were little changed at 9:51 a.m. in New York.
The U.S. Federal Communications Commission said last week it is investigating the breach. T-Mobile is also the subject of at least two class-action lawsuits accusing the company, the second-largest U.S. wireless carrier, of failing to protect customer data.
T-Mobile was hacked twice last year, and in 2018, about 2.5 million customers had their data exposed in a network breach. That attack became part of a federal class-action lawsuit.
A person on social media claiming to be a 21-year-old American living in Turkey has taken credit for the hack, according to the Wall Street Journal. John Binns claims to have cracked T-Mobile’s network over the course of a week and then tried to sell the data to willing buyers on the social media channel Telegram, according to the Journal.
Bloomberg was unable to confirm his account.
T-Mobile could face fines if it is found responsible for security lapses.
In 2017, Equifax had a massive breach that affected 163 million people. It was later fined $700 million by the Federal Trade Commission. Using that math, Jonathan Chaplin, an analyst at New Street Research, estimates that T-Mobile might be on the hook for $215 million in fines if the FTC takes action, he wrote in a note last week.
AT&T paid a $25 million fine after it was discovered that call-center employees had sold the personal data, including the Social Security numbers, of 280,000 customers. And Yahoo, formerly owned by Verizon Communications Inc., had a hack that exposed the information of as many as 3 billion of its customers.
“T-Mobile has an extremely loyal customer base, and that will be a benefit through this crisis,” Parker said. “But T-Mobile needs to reassure its customers, potential customers, regulators and lawmakers that it is not only taking cybersecurity seriously but that it is rapidly fixing the problems to prevent this from happening again.”