In the wake of a major cyber attack on T-Mobile US, CEO Mike Sievert has issued an apology and an update on how the carrier is dealing with the breach.
“The last two weeks have been humbling for all of us at T-Mobile as we have worked tirelessly to navigate a malicious cyberattack on our systems,” Sievert said in a company blog post. The breach has been contained and the company’s investigation is “substantially complete,” he added.
T-Mobile US (and Sprint, which is now a part of T-Mo) has been hacked before, but this is its largest security breach to date. The company has said that the information of about 13.1 million current postpaid customers had associated information illegally accessed, as well as data files with information on about 40.6 million “former or prospective T-Mobile customers”, and information including account PINS was breached for around 900,000 active T-Mobile or Metro prepaid customers.
A 21-year-old U.S. citizen living in Turkey has claimed responsibility for the attack; he has spoken to multiple media outlets, provided evidence to support his claim to the Wall Street Journal and said that he conducted the attack in retaliation for being targeted by United States law enforcement agencies over alleged involvement in a malicious botnet. The man claims he was abducted and tortured by U.S. agencies and has filed a lawsuit against the Department of Justice, FBI and CIA in the Washington, D.C. District Court.
While Sievert was circumspect about the amount of detail he shared about the attack and said that the carrier is “actively coordinating with law enforcement on a criminal investigation,” he did say that “The bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data. In short, this individual’s intent was to break in and steal data, and they succeeded.
“Keeping our customers’ data safe is a responsibility we take incredibly seriously and preventing this type of event from happening has always been a top priority of ours,” Sievert added. “Unfortunately, this time we were not successful.
“Attacks like this are on the rise and bad actors work day-in and day-out to find new avenues to attack our systems and exploit them. We spend lots of time and effort to try to stay a step ahead of them, but we didn’t live up to the expectations we have for ourselves to protect our customers,” Sievert continued. “Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry.”
He said that T-Mobile US has expanded its relationship with security company Mandiant and it has also begun working with KPMG to bolster its security strategy. Sievert said that the carrier has notified “just about” every current T-Mobile US customer or primary account holder who had been impacted and that it is working to notify former and prospective customers whose information was accessed illegally. T-Mo is offering two free years of an identity protection service, making account takeover protection available for postpaid customers so that their accounts can’t be fraudulently ported out, and has taken steps including automatic re-sets of prepaid account PINs.
“This is not a one-and-done process. There is much work to do, and this will take time, and we remain committed to doing our best to ensure those who had information exposed feel informed, supported, and protected by T-Mobile,” Sievert wrote. “We know that the bad actors out there will continue to evolve their methods every single day and attacks across nearly every industry are on the rise. However, while cyberattacks are commonplace, that does not mean that we will accept them. … We know we need additional expertise to take our cybersecurity efforts to the next level.” He said that the arrangements with Mandiant and KPMG “are part of a substantial multi-year investment to adopt best-in-class practices and transform our approach. This is all about assembling the firepower we need to improve our ability to fight back against criminals and building a future-forward strategy to protect T-Mobile and our customers.”