Breach, Content

T-Mobile Cyberattack: Incident Investigation & Data Breach Timeline

T-Mobile has hired Mandiant and KPMG, a Top 250 MSSP, for long-term cybersecurity consulting engagements after a hacker breached T-Mobile's network and stole data involving roughly 50 million people.

Mandiant has been part of the forensic investigation since the start of the incident, T-Mobile CEO Mike Sievert wrote in a memo to customers. He added:

"We are now expanding our relationship to draw on the expertise they’ve gained from the front lines of large-scale data breaches and use their scalable security solutions to become more resilient to future cyber threats. They will support us as we develop an immediate and longer-term strategic plan to mitigate and stabilize cybersecurity risks across our enterprise."

At the same time, T-Mobile is partnering with KPMG's cybersecurity team which "will bring its deep expertise and interdisciplinary approach to perform a thorough review of all T-Mobile security policies and performance measurement," Sievert wrote. "They will focus on controls to identify gaps and areas of improvement."

Mandiant and KPMG will work side-by-side with T-Mobile teams to" map out definitive actions that will be designed to protect our customers and others from malicious activity now and into the future," Sievert.

T-Mobile Cyberattack Details and Investigation Timeline

Here is a timeline of the T-Mobile security incident and investigation:

Friday, August 27, 2021: T-Mobile CEO Mike Sievert apologized for the cyberattack, and disclosed that the company has entered into "long-term partnerships" with Mandiant and KPMG "to take our cybersecurity efforts to the next level." Source: T-Mobile, August 27, 2021.

Thursday, August 26, 2021: Alleged T-Mobile hacker John Binns claims the  wireless company’s lax security eased his path into a cache of records with personal details on more than 50 million people. Source: The Wall Street Journal, August 26, 2021.

Friday, August 20, 2021: Multiple updates...

  • T-mobile has had six other data breaches in the past four years, raising questions about the carrier's  ability to implement and maintain proper security, according to Doug Schmidt, a professor of computer science at Vanderbilt University. Source: Reuters, August 20, 2021.
  • T-mobile disclosed that hackers accessed an additional 5.3 million customer records. Deeper details about the hack are in this SEC filing. Source: T-Mobile, August 20, 2021.

Thursday, August 19, 2021: T-Mobile has launched a Data Breach webpage to share the latest investigation updates, and to offer next-step security guidance for customers. The webpage will feature ongoing updates from the 5G service provider. Source: T-Mobile, August 19, 2021.

Wednesday, August 18, 2021: The U.S. Federal Communications Commission (FCC) said is investigating the T-Mobile US data breach. Source: Reuters, August 18, 2021.

Tuesday, August 17, 2021: Multiple Updates...

  • Approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in stolen files.
  • Just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile are in the stolen files.
  • No phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.
  • Approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed. T-Mobile reset ALL of the PINs on these accounts to help protect these customers. No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed.
  • Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.
  • Source: T-Mobile, August 17, 2021.

Monday, August 16, 2021: In a blog, T-Mobile confirms cybersecurity incident, but has not yet determined if any personal customer data was stolen.

Sunday, August 15, 1:31 p.m. ET, 2021: In a statement to Reuters, a T-Mobile spokesperson said: "We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time."

Sunday, August 15, 11:03 a.m. ET, 2021: Vice reports that data allegedly stolen from T-Mobile servers may include such information as social security numbers, phone numbers, names, physical addresses and driver licenses information.

U.S. Government Wants IT Service Providers to Strengthen Security Practices

Chatter about the T-Mobile breach surfaces amid the U.S. federal government's effort to tighten cybersecurity across the country. The effort includes President Biden's cybersecurity executive order, which mentioned IT service providers more than a dozen times. The May 2021 executive order emphasized the need for service providers to coordinate their cyber and infrastructure security efforts with government agencies.

T-Mobile is one of the largest U.S. carriers. The company merged with Sprint in April 2020 to "deliver a transformative 5G network," the two businesses said at the time. T-Mobile's revenue was $20 billion in Q2 of 2021, up 13.2 percent from Q2 of 2020, the company announced in July 2021.

T-Mobile and Sprint are familiar cyberattack targets. Both companies suffered separate security breaches in 2018 or so, according to reports at the time.

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.