T-Mobile is looking into allegations that a hacker stole 106GB of data containing the social security numbers, names, addresses and driver's license information for more than 100 million people.
In a statement to ZDNet, T-Mobile said it is "aware of claims made in an underground forum and have been actively investigating their validity." Teams at T-Mobile have been "working around the clock" to investigate the situation, a spokesperson told ZDNet, adding that they have hired digital forensic experts and contacted law enforcement.
"We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed," the spokesperson said.
"This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others. We understand that customers will have questions and concerns, and resolving those is critically important to us."
A reporter at Motherboard spoke to the hacker, who said they had stolen it from T-Mobile servers and that the batch also included unique International Mobile Equipment Identity (IMEI) numbers. Motherboard confirmed that the data was from real T-Mobile customers.
The hacker told Motherboard that T-Mobile has already kicked them out of the breached servers but noted that copies of the data had already been made. On an underground forum, the hacker is selling a sample of the data with 30 million social security numbers and driver licenses for 6 Bitcoin, according to Motherboard and Bleeping Computer.
Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock, also spoke to the hacker and wrote on Twitter that he was told about other motives for the attack.
"The breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019," the hacker allegedly told Gal. "We did it to harm US infrastructure."
Binns filed a lawsuit against the FBI, CIA and Justice Department in November where he said he was being investigated for various cybercrimes, including participation in the Satori botnet conspiracy. He is a US citizen but lived in Izmir, Turkey and claimed he had been tortured and spied on for being an alleged member of the Islamic State militant group. He denied being a member of the group in his lawsuit.
The unnamed hacker later spoke to Bleeping Computer to say that they gained access to T-Mobile's systems through "production, staging, and development servers two weeks ago." They also hacked into an Oracle database server that had customer data inside.
To prove it was real, the attackers shared a screenshot of their SSH connection to a production server running Oracle with reporters from Bleeping Computer. They did not try to ransom T-Mobile because they already had buyers online, according to their interview with the news outlet.
T-Mobile has been hacked multiple times over the last few years. In January they announced their fourth data breach in three years after incidents in August 2018, November 2019, and March 2020.