T-Mobile Confirms Breach Exposing Personal Data of 54 Million Customers

T-Mobile USA confirmed in a press release today that an attacker accessed personal information belonging to at least 54 million current, former, and prospective customers, in what is the carrier's largest disclosed breach to date.

The compromised data includes names, dates of birth, Social Security numbers, driver's license numbers, and IMEI/IMSI device identifiers. PINs for approximately 850,000 prepaid customers were also exposed. T-Mobile says no payment card information or financial data was accessed.

The intrusion was first reported by Motherboard after a seller began advertising the data on a dark-web forum, asking $270,000 in bitcoin for a portion of the records. The seller, who later identified themselves as 21-year-old John Binns in an interview with the Wall Street Journal, described the breach as motivated by T-Mobile's "awful" security and frustration with what he characterized as U.S. government harassment.

According to Binns's account, he gained initial access through an unprotected GGSN router exposed to the public internet, then pivoted through more than 100 internal servers to locate customer databases.

T-Mobile said it has offered two years of free identity-protection services from McAfee and recommended affected customers reset their PINs. The company faces multiple class-action lawsuits and a Federal Communications Commission investigation. This is at least the fifth publicly disclosed T-Mobile data breach in four years.