T-Mobile says it is "truly sorry" for a data breach earlier this month that exposed over 54 million people's personal information, and the company claims it has informed "nearly" all of its approximately 14 million current customers who were affected.
In a letter published on the carrier’s website on Friday, CEO Mike Sievert confirmed a hacker "illegally gained entry" to the company’s servers on Aug. 17. A 21-year-old American man living in Turkey claimed in an interview with the Wall Street Journal published on Thursday he accessed the company's servers through an unprotected router he discovered in July.
"What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data," Sievert wrote in the letter.
John Binns, the man who claimed responsibility for the hack, told the Journal he scanned T-Mobile’s known internet addresses for weak spots with a publicly available tool. He said he used the unprotected router to access T-Mobile's data center, from which he was then able to access more than 100 servers thanks to stored credentials.
"I was panicking because I had access to something big," he wrote to the paper in a Telegram message. "Their security is awful."
T-Mobile admitted it was investigating claims of a data breach on Aug. 15, the same day Motherboard reported about a forum post boasting of having the personal data of over 100 million people. The carrier confirmed the hack a day later, and on Aug. 18 admitted names, Social Security numbers and other personal information found on the driver’s licenses of over 40 million people had been compromised.
Last week, T-Mobile said over 54.6 million people, in all, had some form of personal information compromised. The vast majority, about 40 million, were former or prospective customers.
Sievert wrote on Friday the carrier is "now working diligently to notify former and prospective customers." T-Mobile said it will provide anyone "who may have been affected" with a free two years of identity protection services.
This breach is the third T-Mobile has divulged within the last two years, and the second since its merger with Sprint was approved last April to become the second-largest carrier in the U.S. The U.S. Federal Communications Commission said last week it would investigate the breach.
Related
