T-Mobile data breach

In summer 2021, T-Mobile US confirmed that the company had been subject to a data breach. A hacker called John Erin Binns took credit for the release of millions of customer records and the event was a contribution to T-Mobile receiving a fine of $15 million in 2024. ^[1]

Background

T-Mobile US, Inc. is an American wireless network operator and is the second largest wireless carrier in the United States, with 127.5 million subscribers as of September 30, 2024. T-Mobile had previously suffered data breaches in 2009. 2015, 2017, 2018, 2019, and 2020. ^{[2] [3]}

In 2020 John Erin Binns, who later claimed responsibility for the breach, filed a lawsuit against the American government accusing them of being involved with his alleged kidnapping and torture and attacking him with psychic and energy weapons. ^[4]

Timeline

July 2021

John Erin Binns gained access to an unprotected GPRS gateway located in Washington. ^{[5] [6]} An ssh login was achieved by means of a Brute-force attack; there were no controls to prevent multiple login attempts. ^[7] Once access to the router was achieved, Binns was able to move around the network due to a lack of Network segmentation. ^[5]

August 2021

On August 12, T-mobile became aware of a potential attack and started an internal investigation. ^[8]

On August 13, the security research firm Unit221B LLC reported to T-Mobile that an account on a security forum was attempting to sell T-Mobile customer data. ^[7] This was also reported online. ^[9] This was later shown to be the last date on which there was evidence of intruder activity. ^[8]

On August 15 T-Mobile confirmed to its satisfaction that there was a cyber attack and contracted an outside company to conduct a forensic investigation. ^[8]

On August 16, T-Mobile publicly confirmed that the company had been subject to a data breach but declined to say whether any customers' personal information was accessed or how widespread the damage was.

On August 18, 2021, T-Mobile provided a preliminary analysis, showing the attackers were able to obtain the records more than 40 million former and prospective customers that had applied for credit along with 7.8 million existing postpaid customers. T-Mobile confirmed that the data collected by the hackers included sensitive personal information, such as the first and last names, birthdates, driver's license/ID numbers, and Social Security numbers. T-Mobile offered two years of free identity protection services and also proactively reset the PINs on accounts where PINs had been exposed. ^{[10] [11]}

On August 24, 2021, it was announced that T-Mobile Business customers were affected by the data breach. The company determined that the types data that impacted businesses included the business's name, federal tax ID, business address, contact name, and business phone number, as well as personal information; there was no indication that business or personal financial information, including credit or debit card information, account passwords or PINs were included in the data breach. ^[12]

On August 26, John Erin Binns, aka IRDev, claimed responsibility for the attack and provided evidence to support his claim. ^{[13] [14]}

Extent of breach

T-Mobile identified 76 million customers and previous customers in the US that might have had their information compromised in the data breach. ^[15] This included:

• first and last names, addresses, dates of birth, Social Security numbers, and driver's license numbers of 7.8 million current T-Mobile customers and approximately 40 million former, and prospective customers.
• the names, dates of birth, and ID numbers of an additional 1.9 million former and prospective customers;
• names, dates of birth, and in many cases addresses of 6.1 million former and prospective customers.
• for some customers, device identifiers and account PINs.

T-Mobile confirmed that no customer financial information such as credit card or debit card information was exposed. ^[8]

Legal consequences

In late 2022, T-Mobile agreed to settle a class action lawsuit filed by customers. It committed to pay $350 million to settle customers claims. ^[16] In 2024, T-Mobile reached a $31.5 million settlement to resolve a Federal Communications Commission probe that included this breach and others. ^[17]

Indictment and arrests

In January 2024, it was reported that a 12-count sealed federal indictment in the Western District of Washington had been obtained against hacker John Erin Binns for the August 2021 data breach and sale of data. Binns was originally indicted in January 2022. The counts against him include hacking-related offenses as well as conspiracy, wire fraud, money laundering, and aggravated identity theft. He remains in the Republic of Turkey while contesting extradition. ^[18] The indictment has since been unsealed by the court. Binns was eventually arrested in Turkey and an extradition proceeding to deliver him to the United States is ongoing. ^{[19] [20]}

In March 2024, Diogo Santos Coelho was arrested in the UK for running a hacking site called RaidForums. It was reported by Vice Media that T-Mobile attempted to stop the sharing of the stolen data at the time of the incident by secretly paying the hackers over $200,000 through Coelho's middleman service. The plan failed and the stolen data remained available for sale. ^[21]

As of December 2024, Binns is currently living in Turkey awaiting extradition to the United States for his involvement in the 2024 Snowflake data breach. ^[22]

References

1. Shepardson, David (2024-09-30). "US reaches $31.5 million settlement with T-Mobile over data breaches". Reuters. Thomson Reuters. Retrieved 2024-11-26.
2. Reed, Catherine (2023-09-28). "T-Mobile Data Breaches: Full Timeline Through 2023". Firewall Times. Retrieved 2024-11-26.
3. "T-Mobile's Security Is 'Awful,' Says Purported Thief". threatpost.com. 2021-08-28. Retrieved 2024-11-26.
4. Clark, Mitchell (2021-08-26). "Hacker claims responsibility for T-Mobile attack, bashes the carrier's security". The Verge. Retrieved 2024-11-26.
5. Tahir (2024-11-16). "Lessons from the T-Mobile Data Breach: What Went Wrong and How to Protect Your Data". Medium. Retrieved 2024-11-26. On August 16, 2021, T-Mobile announced a significant data breach, exposing personal information of over 50 million users. Personal details like names, addresses, phone numbers, and social security numbers were reportedly being sold in underground forums for as little as six bitcoins. How did a billion-dollar company get hacked by a single person, and how could they have prevented it?
6. Faircloth, C.; Hartzell, G.; Callahan, N.; Bhunia, S. (2022). "A Study on Brute Force Attack on T-Mobile Leading to SIM-Hijacking and Identity-Theft". 2022 IEEE World AI IoT Congress (AIIoT). Seattle, WA, USA: IEEE. pp. 501–507. doi:10.1109/AIIoT54504.2022.9817175.
7. Drew FitzGerald; Robert McMillan (Aug 27, 2021). "T-Mobile Hacker Who Stole Data on 50 Million Customers: 'Their Security Is Awful'" . The Wall Street Journal.
8. Federal Communications Commission DA 24-860: In the Matter of T-Mobile US, Inc (PDF) (Report). Washington, D.C.: Federal Communications Commission. September 30, 2024. p. 5. Retrieved 2024-11-27.
9. Cox, Joseph (2021-08-15). "T-Mobile Investigating Claims of Massive Customer Data Breach". VICE. Retrieved 2024-11-27.
10. "T‑Mobile Shares Updated Information Regarding Ongoing Investigation into Cyberattack". T-Mobile. Archived from the original on August 23, 2021. Retrieved August 23, 2021.
11. Torralba, Christine. "T-Mobile confirms recent cybersecurity attack involves 48 million victims". Tmo News. Archived from the original on August 22, 2021. Retrieved August 23, 2021.
12. Hardesty, Linda (August 24, 2021). "T-Mobile Business customers also hit by security breach". Fierce Wireless. Archived from the original on August 25, 2021. Retrieved August 26, 2021.
13. Fingas, Jon (August 26, 2021). "T-Mobile hacker says the carrier's security is 'awful'". Engadget. Archived from the original on August 28, 2021. Retrieved August 28, 2021.
14. Clark, Mitchell (August 26, 2021). "Hacker claims responsibility for T-Mobile attack, bashes the carrier's security". The Verge. Archived from the original on August 27, 2021. Retrieved August 28, 2021.
15. "Deadline Passes on T-Mobile's $350 Million Settlement Days After Another Data Breach". CNET. Retrieved 2024-11-26.
16. "T-Mobile Agrees to $500M Settlement in Massive Data Breach". CNET. Retrieved 2024-11-26.
17. Shepardson, David (2024-09-30). "US reaches $31.5 million settlement with T-Mobile over data breaches". Reuters. Retrieved 2024-11-26. T-Mobile (TMUS.O) has reached a $31.5 million settlement to resolve a probe by the Federal Communications Commission into significant data breaches over three years that impacted tens of millions of U.S. consumers, the agency said on Monday.
18. Cox, Joseph (January 9, 2024). "Sealed Indictment Shows Case Against Hacker Behind Massive T-Mobile Data Breach" . Retrieved February 18, 2024.
19. Keys, Matthew (2024-05-27). "Exclusive: American who hacked T-Mobile servers in 2021 arrested in Turkey, to be extradited to U.S." The Desk. Retrieved 2024-07-22.
20. Cox ·, Joseph (2024-07-12). "American Hacker in Turkey Linked to Massive AT&T Breach". 404 Media. Retrieved 2024-07-22.
21. Cox, Joseph (April 12, 2022). "T-Mobile Secretly Bought Its Customer Data from Hackers to Stop Leak. It Failed". Vice. Archived from the original on June 19, 2023. Retrieved October 25, 2023.
22. Zetter, Kim. "AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records". Wired. ISSN   1059-1028 . Retrieved 2024-12-28.