Massachusetts Attorney General Maura Healey announced Tuesday that her office has launched an investigation into the T-Mobile data breach to determine if the company had proper safeguards in place to protect consumer and mobile device information.
T-Mobile disclosed last month that the names, Social Security numbers and information from driver’s licenses or other identification of just over 40 million people who applied for T-Mobile credit were exposed in a recent data breach. The same data for about 13 million current T-Mobile customers who pay monthly for phone service also appeared to be compromised.
“My office is extremely concerned about how this data breach may have put the personal information of Massachusetts consumers at risk,” Healey said in a statement. “As we investigate to understand the full extent of what’s happened, we urge impacted consumers to take the necessary precautions to ensure their information is safe, and to prevent identity theft and fraud.”
She said her office has launched an investigation into the circumstances of the breach and the steps the company is taking to address it and notify customers.
John Binns, a 21-year-old American hacker living in Turkey, told the Wall Street Journal he was responsible for the hack and blamed T-Mobile’s lax security for making it possible.
Binns told the Journal he discovered an unprotected router exposed on the internet in July, and used that entry point to gain access to servers in a T-Mobile data center near East Wenatchee, Washington, a few hours east of the company’s headquarters in the Seattle suburb of Bellevue.
T-Mobile CEO Mike Sievert apologized to customers in a written statement last month, saying he was "truly sorry" for the breach and all of the millions of customers whose personal data was stolen had been notified.
Sievert said the company spends lots of effort to try to stay ahead of criminal hackers “but we didn’t live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event.”
He said the breach had been contained, the investigation is “substantially complete” and that customer financial information wasn’t exposed. He said T-Mobile hired cybersecurity experts from Mandiant to help with the investigation and is coordinating with law enforcement.
“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data,” Sievert wrote.
In response to the breach, T-Mobile is offering consumers various free theft protection services, including scam and account take-over protection for their cell phones. These services can be accessed via T-Mobile’s website. T-Mobile also recommends that customers reset account pins and passwords as an added precaution. The company has set up a consumer care hotline that can be reached by dialing 611 from a T-Mobile phone or calling 1-800-937-8997.
T-Mobile became one of the country’s largest cellphone service carriers, along with AT&T and Verizon, after buying rival Sprint last year. It reported having a total of 102.1 million U.S. customers after the merger.
T-Mobile has previously disclosed a number of data breaches over the years, though the most recent was the largest. Sievert said the company is taking steps to improve its security.
The Federal Communications Commission, which regulates wireless carriers, has said it is also investigating the breach.