The number of potential victims in the T-Mobile breach could be as high as 100 million. This as class action lawsuits are being filed.
Earlier this month, we reported on the T-Mobile data breach which saw an estimated 47 million former and current customers exposed. Probably the two most unsurprising outcomes in all of this would be that litigation would soon follow and that the breach is worse than initially reported.
It appears that we got both in this case.
On report suggests that the breach has actually topped out at 50 million users. From CNet:
The fallout from T-Mobile’s latest data breach is going from bad to worse. In an update issued Friday, the mobile carrier reported that hackers had illegally accessed one or more associated customer names, addresses, dates of birth, phone numbers, IMEIs and IMSIs of 5.3 million current postpaid customers. T-Mobile also said it had identified an additional 667,000 accounts of former customers that were accessed, with customer names, phone numbers, addresses and dates of birth compromised.
The new numbers push the total number of people affected by the breach past the 50 million mark.
T-Mobile noted that in its most batch of discoveries, affected customers’ driver’s license details and Social Security numbers weren’t illegally accessed.
While this is definitely a sign of things getting worse, another report suggests that the situation is far worse then that. Another report on ZDNet pegs the total number closer to 100 million victims:
T-Mobile is looking into allegations that a hacker stole 106GB of data containing the social security numbers, names, addresses and driver’s license information for more than 100 million people.
In a statement to ZDNet, T-Mobile said it is “aware of claims made in an underground forum and have been actively investigating their validity.” Teams at T-Mobile have been “working around the clock” to investigate the situation, a spokesperson told ZDNet, adding that they have hired digital forensic experts and contacted law enforcement.
“We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” the spokesperson said.
“This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others. We understand that customers will have questions and concerns, and resolving those is critically important to us.”
If that number is accurate, that is basically the entire customer base of T-Mobile. The idea that a companies entire user-base would be affected from a breach isn’t really unprecedented. In fact, we saw that and worse in the Desjardins data breach of 2019 which managed to do the seemingly mathematically impossible: have more than 100% of their customer base compromised. Basically, a breach so bad, it was an accomplishment.
At any rate, it’s hard to underscore the seriousness of such a breach. In fact, it’s partly why it is also unsurprising that class action lawsuits are already in the process of being filed. From Bloomberg:
T-Mobile USA Inc. was hit with a pair of class action lawsuits in Washington federal court accusing the telecommunications company of violating the California Consumer Privacy Act.
T-Mobile violated the CCPA and acted negligently by failing to protect consumer data from a recent data breach that exposed millions of customers’ records, the plaintiffs alleged in their complaints, which were both filed Thursday in the U.S. District Court for the Western District of Washington.
T-Mobile didn’t immediately respond to a request for comment about the lawsuits.
Plaintiff Veera Daruwalla, a resident of Kern County, California, alleged she’s already spent hours addressing privacy concerns stemming from the breach, including reviewing financial and credit statements for evidence of unauthorized activity.
T-Mobile violated the CCPA by failing to prevent consumers’ nonencrypted personally identifiable information “from unauthorized access and exfiltration, theft, or disclosure as a result of Defendant’s violations of its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information,” attorneys representing Daruwalla and the proposed class wrote.
Stephanie Espanoza, plaintiff in a separate class action suit, accused T-Mobile of acting negligently by failing to provide adequate security.
Espanoza, a Los Angeles resident, also accused the company of violating the Washington State Consumer Protection Act by committing unfair acts such as providing poor data security.
In the midst of all of this, the person behind the hack apparently stepped forward and claimed responsibility. From The Verge:
A person claiming to be behind the T-Mobile data breach that exposed almost 50 million people’s info has come forward to reveal his identity and to criticize T-Mobile’s security, according to a report by The Wall Street Journal. John Binns told the WSJ that he was behind the attack and provided evidence that he could access accounts associated with it, and he went into detail about how he was able to pull it off and why he did it.
According to Binns, he was able to get customer (and former customer) data from T-Mobile by scanning for unprotected routers. He found one, he told the Journal, which allowed him to access a Washington state data center that stored credentials for over 100 servers. He called the carrier’s security “awful” and said that realizing how much data he had access to made him panic. According to the WSJ, it’s unclear whether Binns was working alone, though he implied that he collaborated with others for at least part of the hack.
The information the hacker gained access to includes sensitive personal data, like names, birthdates, and Social Security numbers, as well as important cellular data like identification numbers for cellphones and SIM cards. T-Mobile has said in a statement that it’s “confident” that it’s “closed off the access and egress points the bad actor used in the attack.”
The WSJ’s report goes in depth into Binns’ history as a hacker. He claims that he got his start making cheats for popular video games and that he discovered the flaw that ended up being used in a botnet that attacked IoT devices (though he denies actually working on the code).
Meanwhile, T-Mobile CEO, Mike Sievert, has issued a statement in response to all of this. From ABC:
T-Mobile says it has notified nearly all of the millions of customers whose personal data was stolen and that it is “truly sorry” for the breach.
CEO Mike Sievert said in a written statement Friday that the company spends lots of effort to try to stay ahead of criminal hackers “but we didn’t live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event.”
Sievert made no direct reference to Binns on Friday but said that, “in short, this individual’s intent was to break in and steal data, and they succeeded.”
Sievert said the breach has been contained, the investigation is “substantially complete” and that customer financial information wasn’t exposed. He said T-Mobile hired cybersecurity experts from Mandiant to help with the investigation and is coordinating with law enforcement.
“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data,” Sievert wrote.
Sievert said the company has notified “just about every” current customer who was affected, and is now doing the same for former customers and prospective customers who might have supplied some personal information in applying for an account. Unaffected customers will see a banner on their T-Mobile online account page letting them know their data was not exposed.
So, with reports of the breach growing and ongoing legal action, this story is obviously far from over.
Drew Wilson on Twitter: @icecube85 and Facebook.
