T-Mobile CEO Mike Sievert published an open apology to customers Friday after hackers stole more than 50 million users’ personal data, including their Social Security numbers and driver's license information.
“The last two weeks have been humbling for all of us at T-Mobile,” he wrote. “To say we are disappointed and frustrated that this happened is an understatement.”
The incident is the fourth known breach at T-Mobile since 2018, and by far the largest. The full count of how many customers had their data stolen is unclear, but the company said last week it had identified more than 53 million affected customers, most of them on subscription plans. It also included an unspecified number of “prospective” users who are not T-Mobile customers. The company has declined to share updated figures since then, and it has no plans to give a final update, a spokesperson said in an email.
A self-proclaimed hacker, identified by The Wall Street Journal as an American citizen living in Turkey, took responsibility for the breach before T-Mobile was aware of it. Last week, he told NBC News from a Telegram account, which has since been deleted, that he and his fellow hackers intended to sell the information for a profit. He claimed at the time to have more than 100 million users' information.
It is unclear why T-Mobile was storing customers’ driver's license information and Social Security numbers without encrypting them in a way that would make it difficult or impossible for hackers to see them even if they stole them.
Jackie Singh, a cybersecurity consultant, said it was irresponsible on the part of T-Mobile, especially for hard-to-change sensitive personal data like Social Security numbers.
“It is frankly bizarre to learn that in this day and age, a major telco continues to store critical customer data in plain text,” she said. “Offering two years of credit monitoring services doesn’t change the fact that harm was done to their customer base.”
The company is working with law enforcement, Sievert said, and has begun a process of alerting users that they’ve potentially been affected, and it has set up a hub for victim services. But that process can be confusing for some users, according to a cybersecurity professional whose family uses T-Mobile and who wasn’t authorized by her company to speak candidly about the breach.
“I got 3 texts from them that I was affected,” she said in a text message. “I walked my parents through security settings. A lot of users have no idea what to do.”