T-Mobile CEO apologizes for massive hack, announces cybersecurity deal with Mandiant

The CEO tried to paint a rosy picture of the attack by claiming no financial information was stolen but he admitted that millions of social security numbers were accessed.
Written by Jonathan Greig, Contributor

T-Mobile's CEO has finally spoken out about the massive hack that exposed millions of customers' sensitive information, apologizing for the leak and announcing a cybersecurity pact with Mandiant.

On the one hand, CEO Mike Sievert sought to downplay the incident -- which led to the leak of nearly 48 million social security numbers alongside other information from a total of 50 million people -- by touting the fact that no financial information was lost.

He also implied that the leak of social security numbers, driver's licenses and ID information were "like so many breaches before," but admitted that the company had failed to keep their customers' data safe. 

"The last two weeks have been humbling for all of us at T-Mobile as we have worked tirelessly to navigate a malicious cyberattack on our systems. Attacks like this are on the rise, and bad actors work day-in and day-out to find new avenues to attack our systems and exploit them," Sievert said. 

"We spend lots of time and effort to try to stay a step ahead of them, but we didn't live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry." 

Sievert explained that the company hired Mandiant to conduct an investigation into the incident and said they have since closed the server entry points that gave the hacker, allegedly 21-year-old John Binns, access to T-Mobile data. 

He would not provide more information about the breach because they are "actively coordinating with law enforcement on a criminal investigation." On Thursday, Binns openly took credit for the hack in an interview with the Wall Street Journal while mocking T-Mobile's lackluster cybersecurity. 

"I was panicking because I had access to something big. Their security is awful," Binns said, adding that he launched the attack because of his anger at US law enforcement agencies for allegedly torturing him in Germany and Turkey. 

Binns initially claimed he had access to the information of about 100 million customers. Still, T-Mobile later confirmed that the names, dates of birth, social security numbers, driver's licenses, phone numbers, as well as IMEI and IMSI information for about 7.8 million customers had been stolen in the breach. 

Another 40 million former or prospective customers had their names, dates of birth, social security numbers and driver's licenses leaked. More than 5 million "current postpaid customer accounts" also had information like names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. 

T-Mobile said another 667,000 accounts of former T- Mobile customers had their information stolen alongside a group of 850 000 active T-Mobile prepaid customers whose names, phone numbers and account PINs were exposed. The names of 52 000 people with Metro by T-Mobile accounts may also have been accessed, according to T-Mobile.

Sievert explained that the hacker behind the attack "leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data." 

"In short, this individual intended to break in and steal data, and they succeeded," Sievert said.

"As of today, we have notified just about every current T-Mobile customer or primary account holder who had data such as name and current address, social security number, or government ID number compromised."  

T-Mobile will also put a banner on the MyT-Mobile.com account login page of others, letting them know if they were not affected by the attack. 

Sievert admitted that the company is still in the process of notifying former and prospective customers, millions of whom also had their information stolen. 

In addition to offering just two years of free identity protection services with McAfee's ID Theft Protection Service, T-Mobile said it was recommending customers sign up for "T-Mobile's free scam-blocking protection through Scam Shield."

The company will also be offering "Account Takeover Protection" to postpaid customers, making it more difficult for customer accounts to be fraudulently ported out and stolen. They urged customers to reset all passwords and PIN numbers as well. 

Sievert also announced that T-Mobile had signed "long-term partnerships" with Mandiant and KPMG LLG to beef up their cybersecurity and give the telecommunications giant the "firepower" needed to improve their ability to protect customers from cybercriminals. 

"As I previously mentioned, Mandiant has been part of our forensic investigation since the start of the incident, and we are now expanding our relationship to draw on the expertise they've gained from the front lines of large-scale data breaches and use their scalable security solutions to become more resilient to future cyber threats," Sievert added. 

"They will support us as we develop an immediate and longer-term strategic plan to mitigate and stabilize cybersecurity risks across our enterprise. Simultaneously, we are partnering with consulting firm KPMG, a recognized global leader in cybersecurity consulting. KPMG's cybersecurity team will bring its deep expertise and interdisciplinary approach to perform a thorough review of all T-Mobile security policies and performance measurements. They will focus on controls to identify gaps and areas of improvement." 

Both Mandiant and KPMG will work together to sketch out a plan for T-Mobile to address its cybersecurity gaps in the future. 

T-Mobile did not respond to requests for further comment from ZDNet. The telecom giant, which is the second largest in the US behind Verizon, has a terrible cybersecurity track record. 

Before the attack two weeks ago, the company had announced four data breaches in the last three years. 

Editorial standards