T-Mobile CEO Apologizes For 'Humbling' Data Breach After Hacker Details His Attack Route
"We take our customers' protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack," said T-Mobile in a post to its website last week. "While our investigation is ongoing, we wanted to share these initial findings even as we may learn additional facts through our investigation that cause the details above to change or evolve."
Now, CEO Mike Sievert is adding a more personal tone to T-Mobile's response with a full apology. According to Sievert, the entire experience has been "humbling" and he outlined "measures we are taking to better protect consumers from future incidents like this."
He went on to add that while T-Mobile has taken great strides to protect its internal systems and the personal information of customers, it simply dropped the ball this time. "We spend lots of time and effort to try to stay a step ahead of them, but we didn't live up to the expectations we have for ourselves to protect our customers," Sievert added. "Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry."
While Sievert didn't elaborate on how the attack was perpetrated, he did state:
What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data. In short, this individual's intent was to break in and steal data, and they succeeded.
However, the person claiming to have "hacked" T-Mobile says they did so by first scanning for unprotected routers. Then, according to the Wall Street Journal, when one was found, he used it to pry into a Washington state data center that just so happened to store credentials to over 100 servers. The hacker obtained customers' full names, birth dates, social security numbers, and driver's license details with this access.
In the aftermath of this attack, the following steps are being taken for affected customers:
- offering two years of free identity protection services with McAfee's ID Theft Protection Service to all persons who may have been affected
- recommending customers sign up T-Mobile's free scam-blocking protection through Scam Shield
- making Account Takeover Protection available for postpaid customers, which makes it more difficult for customer accounts to be fraudulently ported out and stolen
- suggesting other best practices and practical security steps like resetting PINs and passwords for all customers.
"As we learn and evolve, we will always work to keep you informed of any important updates or relevant changes," Sievert concludes. "I also commit to you that while we're starting on this path with humility, we will bring to it the same Un-carrier energy that we have used for years to help transform the wireless industry for the benefit of consumers and businesses everywhere."