T-Mobile CEO Apologizes for Data Breach, Shares Info on Future Security Plans

[MacRumors]

T-Mobile CEO Mike Sievert today penned a letter to T-Mobile customers apologizing for the recent data breach that impacted more than 50 million current, former, and prospective T-Mobile users.

Data that included names, phone numbers, addresses, birth dates, social security numbers, driver's license and ID info, IMEI numbers, and IMSI numbers was stolen and has been offered for sale.

"We didn't live up to the expectations we have for ourselves to protect our customers," wrote Sievert. "Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry."

He went on to say that T-Mobile is "disappointed and frustrated" and that keeping customer data safe is a responsibility that is taken "incredibly seriously." Preventing attacks is a "top priority" for the company.

The hacker who claims to have attacked T-Mobile's servers yesterday said that T-Mobile's security is "awful." The hacker said that he discovered an unprotected T-Mobile router in July and used that to access T-Mobile's data center in Washington, where he was able to get in using stored credentials.

Sievert said that T-Mobile is coordinating with law enforcement on a criminal investigation, and that the company is unable to disclose specific details at this time.

What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.

T-Mobile has now notified every current T-Mobile customer about the data breach, and is working to notify former and prospective customers. Those affected can visit T-Mobile's website dedicated to the attack, which provides tools for signing up for free McAfee ID Theft Protection, setting up Scam Shield, and using the Account Takeover Protection service.

In an attempt to prevent future attacks, T-Mobile has entered long-term partnerships with cybersecurity experts at Mandiant and with consulting firm KPMG LLP. T-Mobile is planning a multi-year investment into beefing up its security.

Article Link: T-Mobile CEO Apologizes for Data Breach, Shares Info on Future Security Plans

 

[mapsdotapp]

T-Mobile does have terrible security, even from a consumer’s perspective. They support TOTP tokens for two-factor authentication, but even if one enables it you can still use SMS as a fallback. This defeats the whole point as SMS has known vulnerabilities and is deprecated as a 2FA measure by NIST. Oh and by the way, your Apple ID has this vulnerability too. Hope your phone number is secure.

 

[velocityg4]

T-Mobile: We're now upgrading to Windows 98 and installing Norton Utilities. Plus enforcing four digit numerical passwords for all administrators. Everything should be good now.

 

[Baritone_Guy]

Looks like I escaped this one. On the account page it tells me that “at this time” my information was not effected. Last thing I need is another credit monitoring service.

Per the previous post they also need to give me an option to block SMS as a fall back.

 

[benh911f]

I hate when these companies release statements after the fact saying how important keeping customer info safe and secure is. Just so disingenuous when it clearly isn’t important to them at all.

 

[GadgetBen]

What a joke. The company gets hacked and then advises customers to download McAfee ID Theft Protection.

 

[Think|Different]

I mean, I could switch but, these days, whoever I switched to could have the same thing happen during the first week. This stinks and is unacceptable but I can’t say it’s an obvious decision to ditch them.

 

[doboy]

This is a clusterfook. I want them to disappear but then we'll be left with just Verizon and AT&T

 

[nutmac]

All empty words.

T-Mobile should minimally implement:

• Non-SMS 2FA: Integrate with more secure 3rd party SSO like Apple or Google, and allow customers to use only RFC-6238 without the SMS fallback.
• Automated PIN Entry: Currently, T-Mobile representative asks customers to recite the PIN. A bank teller would never ask for your PIN. The entry should be done by an automated system.
• Close the Backdoors: T-Mobile representative can bypass the PIN and reset it with easily hacked info like social security number and mother's maiden name. Resetting them should require third party knowledge-based authentication service.
• Data minimization: Do not store sensitive info like social security number, birthdate, and driver's license. Customers should be required to enter these information whenever T-Mobile needs to pull credit report.
• Data retention: When a customer leaves, encrypt and archive their data to entirely separate system that requires more stringent access control. And allow customers to delete them indefinitely.

 

[justperry]

Apologizes Until it happens again...and again...and yet again.​

 

[anshuvorty]

If the CEO is truly sorry, he would:

• take a pay cut OR
• reduce their prices and offer discounts to their paying customers

But we all know that this is just part of "doing business" and nothing will change...

 

[Antes]

I actually had a nightmare last night because of this:where my phone was being hacked and I couldn’t do anything to stop it or turn off my phone. I know it ain’t real but yeah I guess you can say this security breach thing is kind of stressing me out.

 

[justperry]

This is a clusterfook. I want them to disappear but then we'll be left with just Verizon and AT&T

I have T-mobile here, somewhere in Europe, it's fine here.

 

[oneMadRssn]

"At this time we have no information that indicates your SSN, driver’s license or government issued ID associated with your account were impacted."

Oh good! I was worried, because having McAfee seems like even worse than being hacked.

 

[KFridman]

I read there have been five hacks in three years. As much as I like the 55+ plan that costs me $70/month for two lines (and free MLBtv) I am having a hard time sticking with T-Mobile. I’m considering going back to Verizon after the new iphones come out next month. Maybe they’ll have some deal on the 12 or 13 for new subscribers.

 

[now i see it]

"I'm sorry our $171 Billion Dollar company has awful security"

 

[TheYayAreaLiving 🎗️]

50 Million People data compromise / 1 Apology.

T-Mobile... Come up with a better security plan. The hacker himself call it out.

 

[Mr. Dee]

Tried changing my PIN and all it did was sign me out of the TMOBILE app when I attempted to log in. They need to do better. And just add to that, I think this breach exposes why I have been getting so many scam calls lately.

 

[KennethAdamsCom]

T-mobile's customer support technology in general is total garbage. And this breach once again proves it.

And somebody's lying, the hacker or the CEO, and I'm betting the CEO. This story reports that the hacker "was able to get in using stored credentials" but the CEO says "the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods". Is it "stored credentials" or "brute force attacks" ? The CEO is full of crap.

I WAS a T-mobile customer for almost 8 years. Ironically 5 weeks ago I finally got around to dumping them, and chose Mint Mobile. Comparing T-mobile tech to Mint's is night and day. T-mobile's customer portal via web and app is embarrassing. Mint's app is stellar - it's how it should be done. With Mint you can sign up, get a free trial, activate your iPhone with an eSIM, activate a paid plan, switch plans and everything else, right within the Mint iOS app. And their web UI is a modern 2020s design.

I worked with a guy at Apple who just joined T-mo 5 months ago as their Chief Digital Officer, named Marcus East. Marcus must be kickin' himself for making the move.... or politicking his way into the CEO chair. 👿 😉

 

[mapsdotapp]

T-mobile's customer support technology in general is total garbage. And this breach once again proves it.

And somebody's lying, the hacker or the CEO, and I'm betting the CEO. This story reports that the hacker "was able to get in using stored credentials" but the CEO says "the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods". Is it "stored credentials" or "brute force attacks" ? The CEO is full of crap.

I WAS a T-mobile customer for almost 8 years. Ironically 5 weeks ago I finally got around to dumping them, and chose Mint Mobile. Comparing T-mobile tech to Mint's is night and day. T-mobile's customer portal via web and app is embarrassing. Mint's app is stellar - it's how it should be done. With Mint you can sign up, get a free trial, activate your iPhone with an eSIM, activate a paid plan, switch plans and everything else, right within the Mint iOS app. And their web UI is a modern 2020s design.

I worked with a guy at Apple who just joined T-mo 5 months ago as their Chief Digital Officer, named Marcus East. Marcus must be kickin' himself for making the move.... or politicking his way into the CEO chair. 👿 😉

Mint is a T-Mobile MVNO. Hope they did their homework and trust their network security.

 

[KennethAdamsCom]

Mint is a T-Mobile MVNO. Hope they did their homework and trust their network security.

Yup, I know. I'm sayin' Mint's customer support tech is radically better than T-mo's. And since the hack got into customer support dbs.... well, we can do the math.

And the customer support tech is one indicator of the management talent... or in the case of T-mo, the lack thereof.

 

[thesoundofsettling]

It's 2021. They could at a minimum start by salting and hashing customer PINs in their database. The account number and PIN are the only info needed to port out your number. It's honestly a joke that the PIN is stored in clear text.

I left T-Mobile last week. Right after porting, they locked me out of my online account. I called to ask about how my final bill would be delivered since I'm paperless. The rep asked for my name and phone number and then proceeded to read my mailing address to confirm that's where a bill will be sent. If you ever have a stalker that knows your name and phone number, T-Mobile customer service would be more than happy to hand out your home address.

 

[nvmls]

T-Mobile: We're now upgrading to Windows 98 and installing Norton Utilities. Plus enforcing four digit numerical passwords for all administrators. Everything should be good now.

Service Pack 2 update scheduled for the first quarter of 2022.

 

[nburwell]

Apologies only go so far. As a current T-Mobile customer, I want to see them take the security of their customer accounts more seriously, since they obviously were not before.

I went ahead and changed my password and enrolled in the free identity theft monitoring, but the fact that this isn't the first time this happened has me seriously considering moving to another carrier (namely Verizon), even though I'd pay more per month between my wife and I.

 

[KennethAdamsCom]

they locked me out of my online account. I called to ask about how my final bill

T-mo did the exact same thing to my account, when Mint transferred my phone number T-mo killed my account so I couldn't login to confirm my account was closed and get bills. BTW: That transfer took less than 10 minutes - it was so fast I didn't count the exact amount, but it was <10.

Weeks later I had to call T-mo to email me my last bill. That was 11 days ago. I'm still waiting for it....

Once again, this goes to confirm T-mo's bad management and incompetent customer support.