Massachusetts Attorney General Probing T-Mobile BreachSecurity Incident Exposed Personal Information for 54 Million People
Massachusetts Attorney General Maura Healey says her office is now probing the massive data breach at T-Mobile that exposed the personal information of 54 million people, including current, former and prospective customers of the carrier.
As part of the state attorney general's probe, Healey says that her office will investigate whether T-Mobile, which is the nation's third-largest wireless carrier, had proper cybersecurity safeguards in place to protect consumer data and mobile device information.
The probe will also investigate the circumstances of the breach and the steps T-Mobile is taking to address its cybersecurity protections. The carrier first announced the breach in August (see: T-Mobile Probes Attack, Confirms Systems Were Breached).
"As we investigate to understand the full extent of what's happened, we urge impacted consumers to take the necessary precautions to ensure their information is safe, and to prevent identity theft and fraud," Healey said Tuesday as part of her office's announcement of the investigation.
A T-Mobile spokesman could not be immediately reached for comment Tuesday.
Besides the Massachusetts attorney general's investigation, the U.S. Federal Communications Commission is probing the T-Mobile breach, according to Reuters.
On Aug. 16, T-Mobile, which is the Bellevue, Washington-based mobile communications subsidiary of Germany's Deutsche Telekom, announced that it was investigating a potential breach after an attacker posted some of the information for sale on a well-known forum for trading stolen data. At the time, the cybercriminals were asking for 6 bitcoins, or around $286,000, for access (see: T-Mobile USA Investigates Possible Data Breach).
The carrier later contacted law enforcement authorities and a third-party security firm, and T-Mobile was able to confirm the breach a few days later. The company later found that the attackers had initially breached its network in July.
T-Mobile estimated that the personally identifiable information of at least 13.1 million current customers, as well as 40 million former and prospective customers, was compromised during the breach.
The Massachusetts attorney general did not specify how many of the 54 million people affected by the breach are residents of that state.
Some of the personally identifiable information exposed during the breach included names, driver's license information, government identification numbers, Social Security numbers, addresses and dates of birth. For some consumers affected by the incident, the data included T-Mobile prepaid PIN cards, phone numbers, International Mobile Equipment Identity numbers and International Mobile Subscriber Identity numbers.
On Aug. 27, T-Mobile CEO Mike Sievert offered a 1,200-word apology to the carrier's current and former customers and noted that while the investigation would continue, the company would not release any specific information at the time (see: T-Mobile CEO Apologizes for Mega-Breach, Offers Update).
When Sievert offered his apology, the alleged attacker, a 21-year-old American citizen living in Turkey, told The Wall Street Journal in a series of Telegram exchanges how he had found an unprotected T-Mobile router while scanning the company for vulnerabilities in July.
The entry point that John Binns, the alleged attacker, found led into a data center in Wisconsin, from which he obtained access to more than 100 servers, allowing him to start exfiltrating data on Aug. 4, according to the Journal. Binns also claimed he had conducted the attack more for glory than money, but he would not tell the Journal whether he sold any of the stolen data.
"Their security is awful," Binns told the Journal about the attack on T-Mobile. The company declined to comment on the report.
While the T-Mobile breach made major headlines, the attack was a much different threat than the other cyber incidents that had made headlines in the weeks before, which included several ransomware attacks against companies such as Colonial Pipeline Co., JBS and Kaseya (see: Bad News: Innovative REvil Ransomware Operation Is Back).
After confirming the breach and the large number of people involved, T-Mobile began offering those affected a prepaid, two-year subscription to McAfee's ID Theft Protection service to help prevent and detect possible account takeover, identity theft and fraud.
As part of its investigation, the Massachusetts attorney general urged T-Mobile customers, as well as those that had applied for T-Mobile services in the past, "to consider taking steps to protect themselves from identity theft." The attorney general also warned against possible phishing attempts using stolen or compromised data.
While these types of large-scale breaches are typically investigated by federal agencies, states are known to start their investigations as well as bringing class action lawsuits on behalf of consumers. In April 2020, Massachusetts and Indiana reached separate settlements with Equifax over the 2017 data breach that exposed the personal information of millions of residents of both states (see: Equifax Settles With Massachusetts, Indiana Over 2017 Breach).