Sievert published a statement outlining what the company knows about the Aug. 17 attack, as well as that T-Mobile has notified nearly all of the customers affected and what steps for cyber security it will take going forward.
“We are confident that there is no ongoing risk to customer data from this breach,” Sievert wrote. During the course of the investigation, the company discovered “how this bad actor illegally gained entry to our servers and we have closed those access points.”
T-Mobile said it was unable to disclose many details about the investigation, but that it is “actively coordinating with law enforcement” on the matter.
For more reporting from the Associated Press, see below.
T-Mobile says it has notified nearly all of the millions of customers whose personal data was stolen and that it is “truly sorry” for the breach.
Sievert said that the company spends lots of effort to try to stay ahead of criminal hackers “but we didn’t live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event.”
The company disclosed earlier in August that the names, Social Security numbers and information from driver’s licenses or other identification of just over 40 million people who applied for T-Mobile credit were exposed in a recent data breach. The same data for about 7.8 million current T-Mobile customers who pay monthly for phone service also appeared to be compromised.
Sievert’s statement follows a Thursday report in the Wall Street Journal in which John Binns, a 21-year-old American hacker living in Turkey, told the newspaper he was responsible for the hack and blamed T-Mobile’s lax security for making it possible.
Binns told the Journal he discovered an unprotected router exposed on the internet in July, and used that entry point to gain access to servers in a T-Mobile data center near East Wenatchee, Washington, a few hours east of the company’s headquarters in the Seattle suburb of Bellevue.
Sievert made no direct reference to Binns on Friday but said that, “in short, this individual’s intent was to break in and steal data, and they succeeded.”
Sievert said the breach has been contained, the investigation is “substantially complete” and that customer financial information wasn’t exposed. He said T-Mobile hired cybersecurity experts from Mandiant to help with the investigation and is coordinating with law enforcement.
“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data,” Sievert wrote.
Sievert said the company has notified “just about every” current customer who was affected, and is now doing the same for former customers and prospective customers who might have supplied some personal information in applying for an account. Unaffected customers will see a banner on their T-Mobile online account page letting them know their data was not exposed.
T-Mobile became one of the country’s largest cellphone service carriers, along with AT&T and Verizon, after buying rival Sprint last year. It reported having a total of 102.1 million U.S. customers after the merger.
T-Mobile has previously disclosed a number of data breaches over the years, though the most recent was the largest. Sievert said the company is taking steps to improve its security.
The Federal Communications Commission, which regulates wireless carriers, has said it is investigating the breach.