T-Mobile data breach

Last updated

In summer 2021, T-Mobile US confirmed that the company had been subject to a data breach. A hacker called John Erin Binns took credit for the release of millions of customer records and the event was a contribution to T-Mobile receiving a fine of $15 million in 2024. [1]

Contents

Background

T-Mobile US, Inc. is an American wireless network operator and is the second largest wireless carrier in the United States, with 127.5 million subscribers as of September 30, 2024. T-Mobile had previously suffered data breaches in 2009. 2015, 2017, 2018, 2019, and 2020. [2] [3]

In 2020 John Erin Binns, who later claimed responsibility for the breach, filed a lawsuit against the American government accusing them of being involved with his alleged kidnapping and torture and attacking him with psychic and energy weapons. [4]

Timeline

July 2021

John Erin Binns gained access to an unprotected GPRS gateway located in Washington. [5] [6] An ssh login was achieved by means of a Brute-force attack; there were no controls to prevent multiple login attempts. [7] Once access to the router was achieved, Binns was able to move around the network due to a lack of Network segmentation. [5]

August 2021

On August 12, T-mobile became aware of a potential attack and started an internal investigation. [8]

On August 13, the security research firm Unit221B LLC reported to T-Mobile that an account on a security forum was attempting to sell T-Mobile customer data. [7] This was also reported online. [9] This was later shown to be the last date on which there was evidence of intruder activity. [8]

On August 15 T-Mobile confirmed to its satisfaction that there was a cyber attack and contracted an outside company to conduct a forensic investigation. [8]

On August 16, T-Mobile publicly confirmed that the company had been subject to a data breach but declined to say whether any customers' personal information was accessed or how widespread the damage was.

On August 18, 2021, T-Mobile provided a preliminary analysis, showing the attackers were able to obtain the records more than 40 million former and prospective customers that had applied for credit along with 7.8 million existing postpaid customers. T-Mobile confirmed that the data collected by the hackers included sensitive personal information, such as the first and last names, birthdates, driver's license/ID numbers, and Social Security numbers. T-Mobile offered two years of free identity protection services and also proactively reset the PINs on accounts where PINs had been exposed.. [10] [11]

On August 24, 2021, it was announced that T-Mobile Business customers were affected by the data breach. The company determined that the types data that impacted businesses included the business's name, federal tax ID, business address, contact name, and business phone number, as well as personal information; there was no indication that business or personal financial information, including credit or debit card information, account passwords or PINs were included in the data breach. [12]

On August 26, John Binns claimed responsibility for the attack and provided evidence to support his claim. [13] [14]

Extent of breach

T-Mobile identified 76 million customers and previous customers in the US that might have had their information compromised in the data breach. [15] This included:

T-Mobile confirmed that no customer financial information such as credit card or debit card information was exposed. [8]

In late 2022, T-Mobile agreed to settle a class action lawsuit filed by customers. It committed to pay $350 million to settle customers claims. [16] In 2024, T-Mobile reached a $31.5 million settlement to resolve a Federal Communications Commission probe that included this breach and others. [17]

Indictment and arrests

In January 2024, it was reported that a 12-count sealed federal indictment in the Western District of Washington had been obtained against hacker John Erin Binns for the August 2021 data breach and sale of data. Binns was originally indicted in January 2022. The counts against him include hacking-related offenses as well as conspiracy, wire fraud, money laundering, and aggravated identity theft. He remains in the Republic of Turkey while contesting extradition. [18] The indictment has since been unsealed by the court. Binns was eventually arrested in Turkey and an extradition proceeding to deliver him to the United States is ongoing. [19] [20]

In March 2024, Diogo Santos Coelho was arrested in the UK for running a hacking site called RaidForums. It was reported by Vice Media that T-Mobile attempted to stop the sharing of the stolen data at the time of the incident by secretly paying the hackers over $200,000 through Coelho's middleman service. The plan failed and the stolen data remained available for sale. [21]

As of December 2024, Binns is currently living in Turkey awaiting extradition to the United States for his involvement in the 2024 Snowflake data breach [22] .

Related Research Articles

<span class="mw-page-title-main">Equifax</span> American consumer credit reporting agency

Equifax Inc. is an American multinational consumer credit reporting agency headquartered in Atlanta, Georgia and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion. Equifax collects and aggregates information on over 800 million individual consumers and more than 88 million businesses worldwide. In addition to credit and demographic data and services to business, Equifax sells credit monitoring and fraud prevention services directly to consumers.

<span class="mw-page-title-main">Timeline of Internet conflicts</span>

The Internet has a long history of turbulent relations, major maliciously designed disruptions, and other conflicts. This is a list of known and documented Internet, Usenet, virtual community and World Wide Web related conflicts, and of conflicts that touch on both offline and online worlds with possibly wider reaching implications.

<span class="mw-page-title-main">Credit card fraud</span> Financial crime

Credit card fraud is an inclusive term for fraud committed using a payment card, such as a credit card or debit card. The purpose may be to obtain goods or services or to make payment to another account, which is controlled by a criminal. The Payment Card Industry Data Security Standard is the data security standard created to help financial institutions process card payments securely and reduce card fraud.

Kiteworks, formerly known as Accellion, Inc., is an American technology company that secures sensitive content communications over channels such as email, file share, file transfer, managed file transfer, web forms, and application programming interfaces. The company was founded in 1999 in Singapore and is now based in San Mateo, California.

The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.

mSpy Computer monitoring software

mSpy is a brand of mobile and computer parental control monitoring software for iOS, Android, Windows, and macOS. The app allows users to monitor and log activity on the client device. It is owned by the Ukrainian IT company Brainstack.

<span class="mw-page-title-main">2014 JPMorgan Chase data breach</span> Cyberattack against an American bank

The 2014 JPMorgan Chase data breach was a cyberattack against American bank JPMorgan Chase that is believed to have compromised data associated with over 83 million accounts—76 million households and 7 million small businesses. The data breach is considered one of the most serious intrusions into an American corporation's information system and one of the largest data breaches in history.

The Anthem medical data breach was a medical data breach of information held by Elevance Health, known at that time as Anthem Inc.

In 2013 and 2014, the American web services company Yahoo was subjected to two of the largest data breaches on record. Although Yahoo was aware, neither breach was revealed publicly until September 2016.

A SIM swap scam is a type of account takeover fraud that generally targets a weakness in two-factor authentication and two-step verification in which the second factor or step is a text message (SMS) or call placed to a mobile telephone.

Between May and July 2017, American credit bureau Equifax was breached. Private records of 147.9 million Americans along with 15.2 million British citizens and about 19,000 Canadian citizens were compromised in the breach, making it one of the largest cybercrimes related to identity theft. Equifax discovered the breach end of July, but did not disclose it to the public until September 2017. In a settlement with the United States Federal Trade Commission, Equifax offered affected users settlement funds and free credit monitoring.

In summer 2018, a data breach affected almost 400,000 customers of British Airways, of which almost 250,000 had their names, addresses, credit card numbers and CVV codes stolen. The attack gained access to British Airways systems via the account of a compromised third party and escalated their account privileges after finding an unsecured administrator password. The attacker stole data that British Airways was improperly recording and also redirected users of British Airways website to a bogus site that was designed to steal more data.

Vastaamo was a Finnish private psychotherapy service provider founded in 2008. On 21 October 2020, Vastaamo announced that its patient database had been hacked. Private information obtained by the perpetrators was used in an attempt to extort Vastaamo and, later, its clients. The extorters demanded 40 bitcoins, roughly worth 450,000 euros at the time, and threatened to publish the records if the ransom was not paid. To add pressure to their demands, the extorters published hundreds of patient records a day on a Tor message board.

Data breach incidences in India were the second highest globally in 2018, according to a report by digital security firm Gemalto. With over 690 million internet subscribers and growing, India has increasingly seen a rise in data breaches both in the private and public sector. This is a list of some of the biggest data breaches in the country.

ShinyHunters is a black-hat criminal hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.

maia arson crimew Swiss hacker (born 1999)

Maia arson crimew, formerly known as Tillie Kottmann, is a Swiss developer and computer hacker. Crimew is known for leaking source code and other data from companies such as Intel and Nissan, and for discovering a 2019 copy of the United States government's No Fly List on an unsecured cloud server owned by CommuteAir. Crimew was also part of a group that hacked into Verkada in March 2021 and accessed more than 150,000 cameras. She is also the founding developer of the Lawnchair application launcher for Android.

In September 2022, Australian telecommunications company Optus suffered a data breach that affected up to 10 million current and former customers comprising a third of Australia's population. Information was illegally obtained, including names, dates of birth, home addresses, telephone numbers, email contacts, and numbers of passports and driving licences. Conflicting claims about how the breach happened were made; Optus presented it as a complicated attack on its systems while an Optus insider and the Australian Government said a human error caused a vulnerability in the company's API. A ransom notice asking for A$1,500,000 to stop the data from being sold online was issued. After a few hours, the data thieves deleted the ransom notice and apologised for their actions.

Starting April 2024, more than 100 customers of Snowflake, Inc., were targeted and had their data stolen as part of a mass data breach campaign lasting several months. The attacks were carried out by Waifu and IRDev, two members of the Scattered Spider hacking group. Some of the data stolen in this campaign included: billions of call records from 'nearly all AT&T customers', Ticketmaster event ticket barcodes for nearly all concert events in 2024, including the Taylor Swift 'Eras Tour', personal details and driving histories of nearly all American citizens, and prescription DEA numbers of several million medical prescribers.

References

  1. Shepardson, David (2024-09-30). "US reaches $31.5 million settlement with T-Mobile over data breaches". Reuters. Thomson Reuters. Retrieved 2024-11-26.
  2. Reed, Catherine (2023-09-28). "T-Mobile Data Breaches: Full Timeline Through 2023". Firewall Times. Retrieved 2024-11-26.
  3. "T-Mobile's Security Is 'Awful,' Says Purported Thief". threatpost.com. 2021-08-28. Retrieved 2024-11-26.
  4. Clark, Mitchell (2021-08-26). "Hacker claims responsibility for T-Mobile attack, bashes the carrier's security". The Verge. Retrieved 2024-11-26.
  5. 1 2 Tahir (2024-11-16). "Lessons from the T-Mobile Data Breach: What Went Wrong and How to Protect Your Data". Medium. Retrieved 2024-11-26. On August 16 2021, T-Mobile announced a significant data breach, exposing personal information of over 50 million users. Personal details like names, addresses, phone numbers, and social security numbers were reportedly being sold in underground forums for as little as six bitcoins. How did a billion-dollar company get hacked by a single person, and how could they have prevented it?
  6. Faircloth, C.; Hartzell, G.; Callahan, N.; Bhunia, S. (2022). "A Study on Brute Force Attack on T-Mobile Leading to SIM-Hijacking and Identity-Theft". 2022 IEEE World AI IoT Congress (AIIoT). Seattle, WA, USA: IEEE. pp. 501–507. doi:10.1109/AIIoT54504.2022.9817175.
  7. 1 2 Drew FitzGerald; Robert McMillan (Aug 27, 2021). "T-Mobile Hacker Who Stole Data on 50 Million Customers: 'Their Security Is Awful'" . The Wall Street Journal.
  8. 1 2 3 4 Federal Communications Commission DA 24-860: In the Matter of T-Mobile US, Inc (PDF) (Report). Washington, D.C.: Federal Communications Commission. September 30, 2024. p. 5. Retrieved 2024-11-27.
  9. Cox, Joseph (2021-08-15). "T-Mobile Investigating Claims of Massive Customer Data Breach". VICE. Retrieved 2024-11-27.
  10. "T‑Mobile Shares Updated Information Regarding Ongoing Investigation into Cyberattack". T-Mobile. Archived from the original on August 23, 2021. Retrieved August 23, 2021.
  11. Torralba, Christine. "T-Mobile confirms recent cybersecurity attack involves 48 million victims". Tmo News. Archived from the original on August 22, 2021. Retrieved August 23, 2021.
  12. Hardesty, Linda (August 24, 2021). "T-Mobile Business customers also hit by security breach". Fierce Wireless. Archived from the original on August 25, 2021. Retrieved August 26, 2021.
  13. Fingas, Jon (August 26, 2021). "T-Mobile hacker says the carrier's security is 'awful'". Engadget. Archived from the original on August 28, 2021. Retrieved August 28, 2021.
  14. Clark, Mitchell (August 26, 2021). "Hacker claims responsibility for T-Mobile attack, bashes the carrier's security". The Verge. Archived from the original on August 27, 2021. Retrieved August 28, 2021.
  15. "Deadline Passes on T-Mobile's $350 Million Settlement Days After Another Data Breach". CNET. Retrieved 2024-11-26.
  16. "T-Mobile Agrees to $500M Settlement in Massive Data Breach". CNET. Retrieved 2024-11-26.
  17. Shepardson, David (2024-09-30). "US reaches $31.5 million settlement with T-Mobile over data breaches". Reuters. Retrieved 2024-11-26. T-Mobile (TMUS.O) has reached a $31.5 million settlement to resolve a probe by the Federal Communications Commission into significant data breaches over three years that impacted tens of millions of U.S. consumers, the agency said on Monday.
  18. Cox, Joseph (January 9, 2024). "Sealed Indictment Shows Case Against Hacker Behind Massive T-Mobile Data Breach" . Retrieved February 18, 2024.
  19. Keys, Matthew (2024-05-27). "Exclusive: American who hacked T-Mobile servers in 2021 arrested in Turkey, to be extradited to U.S." The Desk. Retrieved 2024-07-22.
  20. Cox ·, Joseph (2024-07-12). "American Hacker in Turkey Linked to Massive AT&T Breach". 404 Media. Retrieved 2024-07-22.
  21. Cox, Joseph (April 12, 2022). "T-Mobile Secretly Bought Its Customer Data from Hackers to Stop Leak. It Failed". Vice. Archived from the original on June 19, 2023. Retrieved October 25, 2023.
  22. Zetter, Kim. "AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records". Wired. ISSN   1059-1028 . Retrieved 2024-12-28.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.