BELLEVUE – The T-Mobile CEO said he was “truly sorry” for a data breach affecting about 50 million users that originated from an unprotected router in East Wenatchee, Washington.
A Thursday report in the Wall Street Journal said John Binns, a 21-year-old American hacker living in Turkey, said he hacked into the cellphone carrier’s data center outside East Wenatchee, where stored credentials allowed him to access more than 100 servers.
“I was panicking because I had access to something big,” Binns wrote. “Their security is awful.”
Binns declined to say, when asked by a Wall Street Journal reporter, whether he had sold any of the stolen data or was paid to breach T-Mobile.
T-Mobile CEO Mike Sievert said in a written statement Friday that the company spends lots of effort to try to stay ahead of criminal hackers “but we didn’t live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event.”
The company disclosed earlier in August that the names, Social Security numbers and information from driver’s licenses or other identification of just over 40 million people who applied for T-Mobile credit were exposed in a recent data breach.
The same data for about 7.8 million current T-Mobile customers who pay monthly for phone service also appeared to be compromised.
Sievert made no direct reference to Binns on Friday but said that, “in short, this individual’s intent was to break in and steal data, and they succeeded.”
Sievert said the breach has been contained, the investigation is “substantially complete” and that customer financial information wasn’t exposed.
He said T-Mobile hired cybersecurity experts from Mandiant to help with the investigation and is coordinating with law enforcement.
“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data,” Sievert wrote.
Sievert said the company has notified “just about every” current customer who was affected, and is now doing the same for former customers and prospective customers who might have supplied some personal information in applying for an account.
Unaffected customers will see a banner on their T-Mobile online account page letting them know their data was not exposed.
T-Mobile became one of the country’s largest cellphone service carriers, along with AT&T and Verizon, after buying rival Sprint last year. It reported having a total of 102.1 million U.S. customers after the merger.
T-Mobile has previously disclosed a number of data breaches over the years, though the most recent was the largest. Sievert said the company is taking steps to improve its security.
The Federal Communications Commission, which regulates wireless carriers, has said it is investigating the breach.
Local journalism is essential.
Give directly to The Spokesman-Review's Northwest Passages community forums series -- which helps to offset the costs of several reporter and editor positions at the newspaper -- by using the easy options below. Gifts processed in this system are not tax deductible, but are predominately used to help meet the local financial requirements needed to receive national matching-grant funds.
Subscribe now to get breaking news alerts in your email inbox
Get breaking news delivered to your inbox as it happens.