Jump to content

T-Mobile data breach

Add links
From Wikipedia, the free encyclopedia

In summer 2021, T-Mobile US, confirmed that the company had been subject to a data breach. A hacker called John Erin Binns took credit for the release of large numbers of customer records and the event was a contribution to T-Mobile receiving a fine of $15 million in 2024.[1]


Background

[edit]

T-Mobile had suffered data breaches in 2009. 2015, 2017, 2018, 2019, and 2020.[2][3]

In 2020 John Erin Binns, who later claimed responsibility for the breach, filed a lawsuit against the American government accusing them of being involved with his alleged kidnapping and torture and attacking him with psychic and energy weapons.[4]

Timeline

[edit]

July 2021

[edit]

John Erin Binns gained access to an unprotected router located in Washington.[5] Access was achieved by means of a Brute-force attack; there were no controls to prevent multiple login attempts or to require Multi-factor authentication.[6] Once access to the router was achieved, Binns was able to move around the network due to a lack of Network segmentation.

August 2021

[edit]

On Aug. 13, the security research firm Unit221B LLC reported to T-Mobile that an account on a security forum was attempting to sell T-Mobile customer data.[6]

On August 16, T-Mobile confirmed that the company had been subject to a data breach but declined to say whether any customers' personal information was accessed or how widespread the damage was. The company acknowledged the breach after hackers told Vice the day prior that they were selling "full customer info" obtained from T-Mobile servers.[7][8]

On August 18, 2021, T-Mobile provided an update on the latest findings regarding the data breach. According to the preliminary analysis, the hackers were able to obtain the records more than 40 million former and prospective customers that had applied for credit along with 7.8 million existing postpaid customers. T-Mobile has confirmed that the data collected by the hackers included sensitive personal information, such as the first and last names, birthdates, driver's license/ID numbers, and Social Security numbers, but were unable to access phone numbers, account numbers, PINs or passwords. T-Mobile offered two years of free identity protection services and also recommended for customers to change their PIN as soon as possible. No Metro by T-Mobile, former Sprint prepaid, or Boost Mobile customers were affected by the breach.[9][10]

It was reported on August 23, 2021, that T-Mobile was subject to multiple class-action lawsuits that were filed in federal court as the number of both current and former customers impacted by the cyberattack grew. One of the lawsuits accused T-Mobile of putting plaintiffs as well as members of the class-action to "considerable risk" due to the failure to adequately protect its customers as a result of negligence. The second lawsuit alleged that attack victims spent as much as 1,000 hours to address the privacy concerns stemming from the attack which included reviewing financial and credit statements for evidence of unauthorized activity.[11]

On August 24, 2021, it was announced that T-Mobile Business customers were affected by the data breach according to T-Mobile for Business information site which stated that the exact business and personal information that was accessed varies by business and individual. The company determined that the types data that impacted businesses included the business's name, federal tax ID, business address, contact name, and business phone number, as well as the personal information stated in the above paragraphs; there was no indication that business or personal financial information, including credit or debit card information, account passwords or PINs were included in the data breach.[12]

On August 26, 2021, self-reputed hacker John Binns claimed responsibility for the attack and offered an interview on how he was able to access T-Mobile's servers. He said that he used a readily available tool to locate an exposed router and that it took him a week to penetrate the customer data stored in a T-Mobile data center near East Wenatchee, Washington. He also provided evidence to support his claim of being responsible for the attack and that he stole the data to create “noise” and get attention. The Wall Street Journal asked T-Mobile about the claims but they declined to comment.[13][14] The total number of customers affected, despite previous reports, was 76.6 million.[15]

September 2021

[edit]

On September 6, 2021, T-Mobile US customers filed class action lawsuits accusing the company of negligence after the data breach incident. Three lawsuits have been filed in district court and all demand jury trials. Two of the complaints accuse T-Mobile of violating the US Federal Trade Commission (FTC) Act of 1914, which prohibits companies from engaging in “unfair or deceptive” activities, which includes companies failing to maintain appropriate security measures to safeguard customer information. In another filing, the plaintiff noted that the FTC provided cybersecurity guidelines advising companies not to maintain personally identifiable information “longer than is needed for authorization of a transaction”. Another class action suit accuses T-Mobile of violating the California Consumer Privacy Act, which assigns specific penalties to companies which allow unauthorized access to their customers’ data.[16]

It was subsequently reported that T-Mobile attempted to stop the sharing of the stolen data at the time of the incident by secretly paying the hackers over $200,000 through an intermediary. The plan failed and the stolen data remained available for sale.[17]

Indictment and arrest of Binns

[edit]

In January 2024, it was reported that a 12-count sealed federal indictment in the Western District of Washington had been obtained against hacker John Erin Binns for the August 2021 data breach and sale of data. Binns was originally indicted in January 2022. The counts against him include hacking-related offenses as well as conspiracy, wire fraud, money laundering, and aggravated identity theft. He remains in the Republic of Turkey while contesting extradition.[18] The indictment has since been unsealed by the court. Binns was eventually arrested in Turkey and an extradition proceeding to deliver him to the United States is ongoing.[19][20]

References

[edit]
  1. ^ Shepardson, David (2024-09-30). "US reaches $31.5 million settlement with T-Mobile over data breaches". Reuters. Thomson Reuters. Retrieved 2024-11-26.
  2. ^ Reed, Catherine (2023-09-28). "T-Mobile Data Breaches: Full Timeline Through 2023". Firewall Times. Retrieved 2024-11-26.
  3. ^ "T-Mobile's Security Is 'Awful,' Says Purported Thief". threatpost.com. 2021-08-28. Retrieved 2024-11-26.
  4. ^ Clark, Mitchell (2021-08-26). "Hacker claims responsibility for T-Mobile attack, bashes the carrier's security". The Verge. Retrieved 2024-11-26.
  5. ^ Faircloth, C.; Hartzell, G.; Callahan, N.; Bhunia, S. (2022). "A Study on Brute Force Attack on T-Mobile Leading to SIM-Hijacking and Identity-Theft". 2022 IEEE World AI IoT Congress (AIIoT). Seattle, WA, USA: IEEE. pp. 501–507. doi:10.1109/AIIoT54504.2022.9817175. {{cite conference}}: Unknown parameter |booktitle= ignored (|book-title= suggested) (help); Unknown parameter |keywords= ignored (help)
  6. ^ a b https://www.wsj.com/articles/t-mobile-hacker-who-stole-data-on-50-million-customers-their-security-is-awful-11629985105. {{cite web}}: Missing or empty |title= (help)
  7. ^ Fung, Brian (August 16, 2021). "T-Mobile confirms it was hit by data breach". CNN Business. Archived from the original on August 16, 2021. Retrieved August 16, 2021.
  8. ^ Molina, Brett. "T-Mobile confirms data breach but can't determine whether customer data was impacted". CNN. Archived from the original on August 16, 2021. Retrieved August 16, 2021.
  9. ^ "T‑Mobile Shares Updated Information Regarding Ongoing Investigation into Cyberattack". T-Mobile. Archived from the original on August 23, 2021. Retrieved August 23, 2021.
  10. ^ Torralba, Christine. "T-Mobile confirms recent cybersecurity attack involves 48 million victims". Tmo News. Archived from the original on August 22, 2021. Retrieved August 23, 2021.
  11. ^ Manfredi, Lucas (August 23, 2021). "T-Mobile hit with class-action lawsuits over data breach". Q13 Fox Seattle. Archived from the original on August 26, 2021. Retrieved August 26, 2021.
  12. ^ Hardesty, Linda (August 24, 2021). "T-Mobile Business customers also hit by security breach". Fierce Wireless. Archived from the original on August 25, 2021. Retrieved August 26, 2021.
  13. ^ Fingas, Jon (August 26, 2021). "T-Mobile hacker says the carrier's security is 'awful'". Engadget. Archived from the original on August 28, 2021. Retrieved August 28, 2021.
  14. ^ Clark, Mitchell (August 26, 2021). "Hacker claims responsibility for T-Mobile attack, bashes the carrier's security". The Verge. Archived from the original on August 27, 2021. Retrieved August 28, 2021.
  15. ^ Corkery, Michael (July 23, 2022). "T-Mobile Reaches $500 Million Settlement in Huge 2021 Data Breach". The New York Times. ISSN 0362-4331. Archived from the original on September 21, 2023. Retrieved October 25, 2023.
  16. ^ DeGrasse, Martha (September 6, 2021). "T-Mobile US hit with class action lawsuits". Mobile World Live. Archived from the original on September 6, 2021. Retrieved September 7, 2021.
  17. ^ Cox, Joseph (April 12, 2022). "T-Mobile Secretly Bought Its Customer Data from Hackers to Stop Leak. It Failed". Vice. Archived from the original on June 19, 2023. Retrieved October 25, 2023.
  18. ^ Cox, Joseph (January 9, 2024). "Sealed Indictment Shows Case Against Hacker Behind Massive T-Mobile Data Breach". Retrieved February 18, 2024.
  19. ^ Keys, Matthew (2024-05-27). "Exclusive: American who hacked T-Mobile servers in 2021 arrested in Turkey, to be extradited to U.S." The Desk. Retrieved 2024-07-22.
  20. ^ Cox ·, Joseph (2024-07-12). "American Hacker in Turkey Linked to Massive AT&T Breach". 404 Media. Retrieved 2024-07-22.
Retrieved from "https://en.wikipedia.org/w/index.php?title=T-Mobile_data_breach&oldid=1259699817"