The IT Nerd

If you’re a T-Mobile customer you have to be wondering if the company can keep customer data safe. I say that because the news is out that they’ve been pwned. Again:

Affected customers fall into one of three categories. First, a customer may have only been affected by a leak of their CPNI. This information may include the billing account name, phone numbers, number of lines on the account, account numbers, and rate plan info. That’s not great, but it’s much less of an impact than the breach back in August had, which leaked customer social security numbers.

The second category an affected customer might fall into is having their SIM swapped. This is where a malicious actor will change the physical SIM card associated with a phone number in order to obtain control of said number. This can, and often does, lead to the victim’s other online accounts being accessed via two-factor authentication codes sent to their phone number. The document says that customers affected by a SIM swap have now had that action reversed.

The final category is simply both of the other two. Affected customers could have had both their private CPNI viewed as well as their SIM card swapped.

This comes after T-Mobile had a massive data breach in the summer. And keep in mind that this company has been pwned in the past too. Clearly this company does not have the best track record of protecting data. Which if you’re a T-Mobile customer, should make you reconsider if you should be dealing with them.

I guess the heat is getting to T-Mobile when it comes to the fact that they were either victims of massive pwnage, or just badly pwned, and it may still get worse for them. Especially since the hacker that pwned them says that their security was “awful.” I say that because the CEO of T-Mobile Mike Sievert has issued a public apology for T-Mobile’s failure to prevent the pwnage via an open letter posted to the T-Mobile website.

To say we are disappointed and frustrated that this happened is an understatement. Keeping our customers’ data safe is a responsibility we take incredibly seriously and preventing this type of event from happening has always been a top priority of ours. Unfortunately, this time we were not successful.

Attacks like this are on the rise and bad actors work day-in and day-out to find new avenues to attack our systems and exploit them. We spend lots of time and effort to try to stay a step ahead of them, but we didn’t live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry.

I’m sorry, but this doesn’t cut it.

If you’re the CEO of a major company with tons of customer information, and you’ve been pwned on this scale, you should be drafting a letter of resignation immediately. Doubly so given that T-Mobile has been pwned so often. Let me give you a list:

• The theft of the details of 2 million customers in August 2018
• A hack involving the theft of prepaid customer data in November 2019
• The theft of employee and customer data in March 2020 
• A “security incident” involving “malicious, unauthorized access” to some information related to T-Mobile accounts in January

There’s no excuse for any of this and he needs to walk the plank.

It’s bad enough that T-Mobile got either massively pwned by a hacker, or just badly pwned by a hacker. Though it may still get worse. But it just got worse from the American telco. The hacker who pwned them is speaking out. His name is John Binns, a 21-year-old American who lives in Turkey, and he doesn’t have flattering things to say about the telco and their security:

In messages with the Journal, Mr. Binns said he managed to pierce T-Mobile’s defenses after discovering in July an unprotected router exposed on the internet. He said he had been scanning T-Mobile’s known internet addresses for weak spots using a simple tool available to the public.

The young hacker said he did it to gain attention. “Generating noise was one goal,” he wrote. He declined to say whether he had sold any of the stolen data or whether he was paid to breach T-Mobile.

And:

Mr. Binns said he used that entry point to hack into the cellphone carrier’s data center outside East Wenatchee, Wash., where stored credentials allowed him to access more than 100 servers.

“I was panicking because I had access to something big,” he wrote. “Their security is awful.”

He said it took about a week to burrow into the servers that contained personal data about the carrier’s tens of millions of former and current customers, adding that the hack lifted troves of data around Aug. 4.

You have to wonder how this is going over inside T-Mobile, especially since they’ve been pwned on numerous occasions. But more importantly, this is going to spark a lot of questions and inquiries from people outside T-Mobile. And I’m going to bet that T-Mobile really doesn’t want to answer any questions whatsoever. Because when you’ve been pwned as often as they have, lawmakers and others are going to make your life miserable.

This morning, T-Mobile has shared its latest discoveries as it continues its investigation into the hack that resulted in information on almost 50 million people has been leaked. The new information indicates that 5.3 million more current postpaid customer accounts that were compromised:

We previously reported information from approximately 7.8 million current T-Mobile postpaid customer accounts that included first and last names, date of birth, SSN, and driver’s license/ID information was compromised. We have now also determined that phone numbers, as well as IMEI and IMSI information, the typical identifier numbers associated with a mobile phone, were also compromised. Additionally, we have since identified another 5.3 million current postpaid customer accounts that had one or more associated customer names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. These additional accounts did not have any SSNs or driver’s license/ID information compromised.

And that’s not all:

We also previously reported that data files with information from about 40 million former or prospective T-Mobile customers, including first and last names, date of birth, SSN, and driver’s license/ID information, were compromised. We have since identified an additional 667,000 accounts of former T- Mobile customers that were accessed with customer names, phone numbers, addresses and dates of birth compromised. These additional accounts did not have any SSNs or driver’s license/ID information compromised.

I have the sneaking suspicion that more details are going to leak out that will bring this number to the 100 million that was previously reported. And that won’t be a good look for T-Mobile.

T-Mobile recently disclosed that they will investigate the theft of over 100 million of their users’ personal identifiable information being sold on the web. How many customers does T-Mobile have? About 100 million. So basically, every T-Mobile customer has been affected by this. And this is not the first time that T-Mobile has been pwned. More on that shortly.

All together now: Whiskey Tango Foxtrot?

“We have determined that unauthorized access to some T-Mobile data occurred,” a spokesperson said in a statement. But “we are confident that the entry point used to gain access has been closed.”

The company added that they are addressing the matter with the “highest degree of urgency” but admitted it will “take some time.”

The company on August 15 said it is looking into an alleged massive data breach compromising over 100 million users based on a claim made in an underground forum post, according to Vice’s Motherboard.

T-mobile said it cannot confirm further details until it has completed its assessment but ensured customers it has enlisted the help of digital forensic experts and law enforcement.

The seller, according to the post, is asking for bitcoin in exchange.

Here’s where things get sketchy. T-Mobile posted a notification on the Twitter account of their CEO Mike Sievert. Not their main Twitter account. Not their customer assistance account. The CEO’s Twitter account.

This account is the least likely to be seen by T-Mobile customers. The responsible thing for T-Mobile to do would have been publicize this far and wide. But that’s what’s happening here. And what’s worse is that Sievert, or someone who controls his Twitter account is handing over these sorts of responses over and over again:

Here’s another example:

Let’s cut to the chase:

• T-Mobile got pwned. Again as this is not the first time that they have been pwned. Let me list all the previous hacks:
  • The theft of the details of 2 million customers in August 2018
  • A hack involving the theft of prepaid customer data in November 2019
  • The theft of employee and customer data in March 2020 
  • A “security incident” involving “malicious, unauthorized access” to some information related to T-Mobile accounts in January
• Every customer has been affected. Every. Single. Customer.
• T-Mobile isn’t exactly going out of their way to inform their customers about this. Nor does it seem that they have a plan to protect their customers.
• What communication they are doing is a PR disaster.

T-Mobile at this point deserves to not only lose every customer that they have, but this merits them being hauled in front of congress, investigated, and punished in the most severe way possible. Because T-Mobile has simply failed it’s customers in the worst way possible.