T-Mobile Data Breach

In summer 2021, T-Mobile US confirmed that the company had been subject to a data breach. A hacker called John Erin Binns took credit for the release of millions of customer records and the event was a contribution to T-Mobile receiving a fine of $15 million in 2024.

Background

T-Mobile US, Inc. is an American wireless network operator and is the second largest wireless carrier in the United States, with 127.5 million subscribers as of September 30, 2024. T-Mobile had previously suffered data breaches in 2009. 2015, 2017, 2018, 2019, and 2020.

In 2020 John Erin Binns, who later claimed responsibility for the breach, filed a lawsuit against the American government accusing them of being involved with his alleged kidnapping and torture and attacking him with psychic and energy weapons.

Timeline

July 2021

John Erin Binns gained access to an unprotected GPRS gateway located in Washington. An ssh login was achieved by means of a Brute-force attack; there were no controls to prevent multiple login attempts. Once access to the router was achieved, Binns was able to move around the network due to a lack of Network segmentation.

August 2021

On August 12, T-mobile became aware of a potential attack and started an internal investigation.

On August 13, the security research firm Unit221B LLC reported to T-Mobile that an account on a security forum was attempting to sell T-Mobile customer data. This was also reported online. This was later shown to be the last date on which there was evidence of intruder activity.

On August 15 T-Mobile confirmed to its satisfaction that there was a cyber attack and contracted an outside company to conduct a forensic investigation.

On August 16, T-Mobile publicly confirmed that the company had been subject to a data breach but declined to say whether any customers' personal information was accessed or how widespread the damage was.

On August 18, 2021, T-Mobile provided a preliminary analysis, showing the attackers were able to obtain the records more than 40 million former and prospective customers that had applied for credit along with 7.8 million existing postpaid customers. T-Mobile confirmed that the data collected by the hackers included sensitive personal information, such as the first and last names, birthdates, driver's license/ID numbers, and Social Security numbers. T-Mobile offered two years of free identity protection services and also proactively reset the PINs on accounts where PINs had been exposed.

On August 24, 2021, it was announced that T-Mobile Business customers were affected by the data breach. The company determined that the types data that impacted businesses included the business's name, federal tax ID, business address, contact name, and business phone number, as well as personal information; there was no indication that business or personal financial information, including credit or debit card information, account passwords or PINs were included in the data breach.

On August 26, John Erin Binns, aka IRDev, claimed responsibility for the attack and provided evidence to support his claim.

Extent of breach

T-Mobile identified 76 million customers and previous customers in the US that might have had their information compromised in the data breach. This included:

* first and last names, addresses, dates of birth, Social Security numbers, and driver's license numbers of 7.8 million current T-Mobile customers and approximately 40 million former, and prospective customers.
* the names, dates of birth, and ID numbers of an additional 1.9 million former and prospective customers;
* names, dates of birth, and in many cases addresses of 6.1 million former and prospective customers.
* for some customers, device identifiers and account PINs.

T-Mobile confirmed that no customer financial information such as credit card or debit card information was exposed.

Legal consequences

In late 2022, T-Mobile agreed to settle a class action lawsuit filed by customers. It committed to pay $350 million to settle customers claims. In 2024, T-Mobile reached a $31.5 million settlement to resolve a Federal Communications Commission probe that included this breach and others.

Indictment and arrests

In January 2024, it was reported that a 12-count sealed federal indictment in the Western District of Washington had been obtained against hacker John Erin Binns for the August 2021 data breach and sale of data. Binns was originally indicted in January 2022. The counts against him include hacking-related offenses as well as conspiracy, wire fraud, money laundering, and aggravated identity theft. He remains in the Republic of Turkey while contesting extradition. The indictment has since been unsealed by the court. Binns was eventually arrested in Turkey and an extradition proceeding to deliver him to the United States is ongoing.

In March 2024, Diogo Santos Coelho was arrested in the UK for running a hacking site called RaidForums. It was reported by Vice Media that T-Mobile attempted to stop the sharing of the stolen data at the time of the incident by secretly paying the hackers over $200,000 through Coelho's middleman service. The plan failed and the stolen data remained available for sale.

As of December 2024, Binns is currently living in Turkey awaiting extradition to the United States for his involvement in the 2024 Snowflake data breach.

References

{{reflist , refs=
{{cite report , title=Federal Communications Commission DA 24-860: In the Matter of T-Mobile US, Inc. , date=September 30, 2024 , publisher=Federal Communications Commission , location=Washington, D.C. , url=https://docs.fcc.gov/public/attachments/DA-24-860A1.pdf , access-date=2024-11-27 , page=5

Data breaches in the United States
Hacking in the 2010s
Identity theft incidents
Internet privacy