Another Week, Another Hack: T-Mobile
T-Mobile, one of the biggest telecommunications companies in the US, was hacked nearly two weeks ago, exposing the sensitive information of more than 50 million current, former and prospective customers.
Names, addresses, social security numbers, driver’s licenses and ID information for about 48 million people were accessed in the hack, which initially came to light on August 16.
Here’s everything we know so far:
How many people are affected by the hack?
T-Mobile released a statement last week confirming that the names, dates of birth, social security numbers, driver’s licenses, phone numbers, as well as IMEI and IMSI information for about 7.8 million customers had been stolen in the breach.
Another 40 million former or prospective customers had their names, dates of birth, social security numbers and driver’s licenses leaked.
More than 5 million “current postpaid customer accounts” also had information like names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed.
T-Mobile said another 667,000 accounts of former T- Mobile customers had their information stolen alongside a group of 850,000 active T-Mobile prepaid customers, whose names, phone numbers and account PINs were exposed.
The names of 52,000 people with Metro by T-Mobile accounts may also have been accessed, according to T-Mobile.
Who attacked T-Mobile?
A 21-year-old US citizen by the name of John Binns told The Wall Street Journal and Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock, that he is the main culprit behind the attack.
His father, who died when he was two, was American and his mother is Turkish. He and his mother moved back to Turkey when Binns was 18.
How did the attack happen?
Binns, who was born in the US but now lives in Izmir, Turkey, said he conducted the attack from his home. Through Telegram, Binns provided evidence to the Wall Street Journal proving he was behind the T-Mobile attack and told reporters that he originally gained access to T-Mobile’s network through an unprotected router in July.
According to the Wall Street Journal, he had been searching for gaps in T-Mobile’s defenses through its internet addresses and gained access to a data center near East Wenatchee, Washington where he could explore more than 100 of the company’s servers. From there, it took about one week to gain access to the servers that contained the personal data of millions. By August 4 he had stolen millions of files.
“I was panicking because I had access to something big. Their security is awful,” Binns told the Wall Street Journal. “Generating noise was one goal.”
Binns also spoke with Motherboard and Bleeping Computer to explain some dynamics of the attack.
He told Bleeping Computer that he gained access to T-Mobile’s systems through “production, staging, and development servers two weeks ago.” He hacked into an Oracle database server that had customer data inside.
To prove it was real, Binns shared a screenshot of his SSH connection to a production server running Oracle with reporters from Bleeping Computer. They did not try to ransom T-Mobile because they already had buyers online, according to their interview with the news outlet.
T-Mobile CEO Mike Sievert explained that the hacker behind the attack “leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.”
“In short, this individual’s intent was to break in and steal data, and they succeeded,” Sievert said.
Binns claimed he stole 106GB of data but it is unclear whether that is true.
Why did Binns do it?
He claims US agencies abducted him in Germany and Turkey and tortured him.
“I have no reason to make up a fake kidnapping story and I’m hoping that someone within the FBI leaks information about that,” he explained in his messages to the Wall Street Journal.
The lawsuit includes a variety of claims by Binns that the CIA broke into his homes and wiretapped his computers as part of a larger investigation into his alleged cybercrimes. He filed the suit in a Washington DC District Court.
We did it to harm US infrastructure,” the message said, according to Gal.
Was Binns alone in conducting the attack?
While Binns did not explicitly say he worked with others on the attack, he did admit that he needed help in acquiring login credentials for databases inside T-Mobile’s systems.
Some news outlets have reported that Binns was not the only person selling the stolen T-Mobile data.
When did T-Mobile discover the attack?
T-Mobile CEO Mike Sievert said on August 27 that he could not share more information about the technical details of the attack because they are “actively coordinating with law enforcement on a criminal investigation.”
It is unclear what agencies are working on the case and T-Mobile did not respond to questions about this.
What is T-Mobile doing about the hack?
Sievert explained that the company hired Mandiant to conduct an investigation into the incident.
“As of today, we have notified just about every current T-Mobile customer or primary account holder who had data such as name and current address, social security number, or government ID number compromised,” he said in a statement
Sievert admitted that the company is still in the process of notifying former and prospective customers, millions of whom also had their information stolen.
In addition to offering just two years of free identity protection services with McAfee’s ID Theft Protection Service, T-Mobile said it was recommending customers sign up for “T-Mobile’s free scam-blocking protection through Scam Shield.”
They urged customers to reset all passwords and PIN numbers as well.
Sievert also announced that T-Mobile had signed “long-term partnerships” with Mandiant and KPMG LLG to beef up their cybersecurity and give the telecommunications giant the “firepower” needed to improve their ability to protect customers from cybercriminals.
“As I previously mentioned, Mandiant has been part of our forensic investigation since the start of the incident, and we are now expanding our relationship to draw on the expertise they’ve gained from the front lines of large-scale data breaches and use their scalable security solutions to become more resilient to future cyber threats,” Sievert added.
“They will support us as we develop an immediate and longer-term strategic plan to mitigate and stabilize cybersecurity risks across our enterprise. Simultaneously, we are partnering with consulting firm KPMG, a recognized global leader in cybersecurity consulting. KPMG’s cybersecurity team will bring its deep expertise and interdisciplinary approach to perform a thorough review of all T-Mobile security policies and performance measurement. They will focus on controls to identify gaps and areas of improvement.”
Both Mandiant and KPMG will work together to sketch out a plan for T-Mobile to address its cybersecurity gaps in the future.
Has this happened to T-Mobile before?
Before the attack two weeks ago, the company had announced four data breaches in the last three years. The company disclosed a breach in January after incidents in August 2018, November 2019, and March 2020.
The investigation into the January incident found that hackers accessed around 200,000 customer details such as phone numbers, the number of lines subscribed to an account, and, in some cases, call-related information, which T-Mobile said it collected as part of the normal operation of its wireless service.
The previous breaches included a March 2020 incident where T-Mobile said hackers gained access to both its employees’ and customers’ data, including employee email accounts, a November 2019 incident where T-Mobile said it “discovered and shut down” unauthorized access to the personal data of its customers, and an August 2018 incident where T-Mobile said hackers gained access to the personal details of 2 million of its customers.
Before it merged with T-Mobile in 2020, Sprint also disclosed two security breaches in 2019 as well, one in May and a second in July.
What happens now?
Binns has not said if he has sold the data he stole, but he told Bleeping Computer that there were already multiple prospective buyers.