T-Mobile data breach

T-Mobile US, Inc. is an American wireless network operator and is the second largest wireless carrier in the United States, with 127.5 million subscribers as of September 30, 2024. T-Mobile had previously suffered data breaches in 2009, 2015, 2017, 2018, 2019, and 2020. In 2020 John Erin Binns, who later claimed responsibility for the breach, filed a lawsuit against the American government accusing them of being involved with his alleged kidnapping and torture and attacking him with psychic and energy weapons. == Timeline ==

July 2021 John Erin Binns gained access to an unprotected GPRS gateway located in Washington. An SSH login was achieved by means of a Brute-force attack; there were no controls to prevent multiple login attempts. This was also reported online. This was later shown to be the last date on which there was evidence of intruder activity. On August 24, 2021, it was announced that T-Mobile Business customers were affected by the data breach. The company determined that the types data that impacted businesses included the business's name, federal tax ID, business address, contact name, and business phone number, as well as personal information; there was no indication that business or personal financial information, including credit or debit card information, account passwords or PINs were included in the data breach. On August 26, John Erin Binns, aka IRDev, claimed responsibility for the attack and provided evidence to support his claim. == Extent of breach ==

T-Mobile identified 76 million customers and previous customers in the US that might have had their information compromised in the data breach. This included: • first and last names, addresses, dates of birth, Social Security numbers, and driver's license numbers of 7.8 million current T-Mobile customers and approximately 40 million former, and prospective customers. • the names, dates of birth, and ID numbers of an additional 1.9 million former and prospective customers; • names, dates of birth, and in many cases addresses of 6.1 million former and prospective customers. • for some customers, device identifiers and account PINs. T-Mobile confirmed that no customer financial information such as credit card or debit card information was exposed. == Legal consequences ==

In late 2022, T-Mobile agreed to settle a class action lawsuit filed by customers. It committed to pay $350 million to settle customers claims. In 2024, T-Mobile reached a $31.5 million settlement to resolve a Federal Communications Commission probe that included this breach and others. == Indictment and arrests ==

In January 2024, it was reported that a 12-count sealed federal indictment in the Western District of Washington had been obtained against hacker John Erin Binns for the August 2021 data breach and sale of data. Binns was originally indicted in January 2022. The counts against him include hacking-related offenses as well as conspiracy, wire fraud, money laundering, and aggravated identity theft. He remains in the Republic of Turkey while contesting extradition. The indictment has since been unsealed by the court. Binns was eventually arrested in Turkey and an extradition proceeding to deliver him to the United States is ongoing. In March 2024, Diogo Santos Coelho was arrested in the UK for running a hacking site called RaidForums. It was reported by Vice Media that T-Mobile attempted to stop the sharing of the stolen data at the time of the incident by secretly paying the hackers over $200,000 through Coelho's middleman service. The plan failed and the stolen data remained available for sale. As of December 2024, Binns is currently living in Turkey awaiting extradition to the United States for his involvement in the 2024 Snowflake data breach. == References ==