Anatomy of a Breach

Anatomy of a Breach: T-Mobile — 40 Million Records Including Social Security Numbers in the Company's Worst Breach Yet

> series: anatomy_of_a_breach —— part: 152 —— target: t-mobile_us —— records: 40,000,000+ —— data: ssns_driver_licences —— breach_number: 5th_in_series<span class="cursor-blink">_</span>_

Hedgehog Security 31 August 2021 12 min read
data-breach t-mobile 40-million ssn repeat-offender telecoms settlement series
Breach #152

40 million records. Social Security numbers. Driver's licences. T-Mobile's fifth breach in this series.

In August 2021, T-Mobile US disclosed that approximately 40 million records of former and prospective customers — including names, dates of birth, Social Security numbers, and driver's licence information — had been stolen, along with personal data from 7.8 million current postpaid customers. An additional 5.3 million current postpaid accounts had names and addresses exposed. The total exceeded 50 million individuals.

The attacker, 21-year-old John Binns, told the Wall Street Journal that T-Mobile's security was 'awful' and that he had accessed the company's systems through an unprotected router, then moved through the network to access a database containing over 100 million records. T-Mobile ultimately agreed to a $500 million settlement including $350 million to affected customers and $150 million for security improvements. The breach was T-Mobile's fifth appearance in this series — following the UK insider breach (2009), API vulnerability (2018), and other incidents — making it the most frequently breached company in the Anatomy of a Breach series.

Repeat Offender
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Five breaches. Thirteen years. The same company. The same failures.

Fifth Breach in This Series
T-Mobile has appeared in 2009, 2018, 2021, and multiple incidents between — making it the most frequently breached company in the Anatomy of a Breach series. Repeated breaches at the same organisation indicate systemic security governance failures, not just individual incidents. Our <a href="/penetration-testing">penetration testing</a> identifies the systemic weaknesses that enable repeated compromises.
Unprotected Router as Entry Point
The attacker accessed T-Mobile's network through an unprotected router — a basic infrastructure security failure. <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates secure configuration of all network devices. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> identifies misconfigured network equipment.
SSNs and Driver's Licences
The theft of Social Security numbers and driver's licence data enables comprehensive identity theft that can persist for years. Unlike credit card numbers (which can be replaced), SSNs are permanent identifiers. For UK organisations holding equivalent data (National Insurance numbers, passport details), the T-Mobile case underscores the need for encryption at rest and strict access controls.
$500 Million Settlement
The $500 million settlement — including $350 million for customers and $150 million for security improvements — was among the largest data breach settlements in US history. Under UK GDPR, similar breaches can attract fines of 4% of global turnover. <a href="/cyber-essentials">Cyber Essentials</a> demonstrates the proactive security investment regulators expect.
Lessons

Repeated breaches demand systemic change, not point fixes.

T-Mobile's fifth breach in this series demonstrates that cybersecurity requires systemic, ongoing investment — not reactive fixes after each incident. For UK organisations, the message is: security is a continuous programme, not a one-off project. Annual Cyber Essentials certification, regular penetration testing, continuous SOC monitoring, and maintained incident response capability are the controls that prevent repeated breaches.

Break the Cycle

T-Mobile: five breaches in thirteen years. Is your organisation investing in systemic security?

<a href="/cyber-essentials">Annual Cyber Essentials</a> maintains the baseline. <a href="/penetration-testing">Regular testing</a> finds new weaknesses. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors continuously.

Commission a Security Programme Next: Epik Domain Registrar
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2023

Anatomy of a Breach: T-Mobile — 37 Million Customers via API and the Company's Sixth Appearance in This Series

Breach #170. In January 2023, T-Mobile US disclosed that an attacker had been accessing 37 million customer records through one of its APIs since approximately 25 November 2022. The exposed data included names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and plan details. T-Mobile stated that no passwords, payment card information, or Social Security numbers were compromised. The breach — T-Mobile's sixth documented appearance in the Anatomy of a Breach series — was discovered on 5 January 2023, meaning the attacker had approximately 41 days of undetected API access.

data-breach t-mobile
12 min read
Anatomy of a Breach 31 August 2018

Anatomy of a Breach: T-Mobile US — 2 Million Customer Records Exposed Through an API Vulnerability

Breach #116. In August 2018, T-Mobile US disclosed that attackers had exploited an API vulnerability to access the personal data of approximately 2 million customers — including names, email addresses, phone numbers, billing zip codes, and account numbers. The breach, discovered on 20 August, was the latest in a series of T-Mobile security incidents spanning both the UK and US operations documented throughout this series. The API vulnerability echoed the Moonpig, Snapchat, and AT&T iPad breaches — reinforcing that API security remains one of the most persistent gaps in modern application security.

data-breach t-mobile
11 min read
Anatomy of a Breach 30 April 2024

Anatomy of a Breach: AT&T — 73 Million Customer Records from a 2019 Breach Surface on the Dark Web

Breach #184. In March 2024, AT&T confirmed that a dataset containing the personal information of approximately 73 million current and former customers had been published on the dark web. The data — including names, addresses, phone numbers, dates of birth, Social Security numbers, and encrypted AT&T account passcodes (which security researchers quickly cracked) — appeared to originate from a breach dating to approximately 2019. AT&T had previously denied the data was from its systems. The breach demonstrated that stolen data surfaces years later, and that denial does not make a breach disappear.

data-breach att
12 min read
All Posts Get in Touch