Two weeks ago, T-Mobile confirmed that there has been a massive breach and data of almost 50 million accounts were stolen. Today, T-Mobile CEO Mike Sievert finally broke the silence and apologized for the massive hack in a blog post. He also announced a new cybersecurity deal with Mandiant as well as additional steps to protect the customers.
The CEO says that no customer financial information, credit card information, debit, or other payment information is part of the breach. However, Sievert added, "like so many breaches before, some SSN, name, address, date of birth and driver’s license/ID information was compromised."
He further stated that the company spends lots of time and effort trying to stay a step ahead of such bad actors, but didn’t live up to the expectations they have to protect the customers.
Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry.
Sievert then explains in simplest terms how the attack happened. He says that "the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data."
As part of its goal to protect those who are affected, T-Mobile is taking some steps, where the company is:
- offering two years of free identity protection services with McAfee’s ID Theft Protection Service to all persons who may have been affected
- recommending customers sign up for T-Mobile’s free scam-blocking protection through Scam Shield
- making Account Takeover Protection available for postpaid customers, which makes it more difficult for customer accounts to be fraudulently ported out and stolen
- suggesting other best practices and practical security steps like resetting PINs and passwords for all customers.
Furthermore, the CEO also announced long-term partnerships with cybersecurity expert Mandiant and consulting firm KPMG LLP.
We know we need additional expertise to take our cybersecurity efforts to the next level—and we’ve brought in the help. These arrangements are part of a substantial multi-year investment to adopt best-in-class practices and transform our approach. This is all about assembling the firepower we need to improve our ability to fight back against criminals and building a future-forward strategy to protect T-Mobile and our customers.
Mandiant has been a part of the investigation since the start of the incident and the partnership will help T-Mobile get its expertise from handling large-scale data breaches in the past. T-Mobile also plans to use Mandiant's scalable security solutions to become more resilient to future cyber threats.