T-Mobile: Four Major Data Breaches in Three Years Expose 76 Million+ Customers
Between 2021 and 2023, T-Mobile suffered four separate data breaches that collectively exposed the personal data of more than 76 million customers.
The most devastating breach, in August 2021, was executed by hacker John Erin Binns, who exploited unprotected routers and testing systems to access 76.6 million records including SSNs and driver's license numbers.
The serial nature resulted in a $350 million class action settlement, a $150 million mandatory security investment, and a $31.5 million FCC consent decree.
KEY FACTS
- .What: Four separate breaches from 2021 to 2023 via routers, APIs, and credentials.
- .Who: Over 76 million T-Mobile customers and prospective applicants.
- .Data Exposed: SSNs, driver's licenses, IMEI/IMSI identifiers, and call records.
- .Outcome: $350M class action settlement and $31.5M FCC consent decree.
WHAT WAS EXPOSED
- .August 2021: SSNs, driver's licenses, DOBs, names, addresses, IMEI/IMSI for 76.6M customers
- .December 2021: CPNI including phone numbers, call logs for ~200,000 customers via SIM-swapping
- .November 2022: Names, contacts, account numbers, plan details for ~37M customers via exploited API over 40 days
- .January 2023: PINs, SSNs, government IDs for ~836 customers via compromised employee credentials
Each breach targeted a different attack surface but reflected a common theme: T-Mobile's security investment had not kept pace with the sensitivity and volume of customer data it held. Binns described T-Mobile's security as "awful" in a Wall Street Journal interview.
The FCC consent decree required T-Mobile to implement zero-trust architecture, phishing-resistant MFA, network segmentation, and designate a CISO with direct board reporting.
SOURCES
FCC Settlement September 2024, T-Mobile SEC Filings, Wall Street Journal, Class Action Settlement MDL No. 3019, Washington State AG Lawsuit