2021-08-16 T-Mobile US, Inc. Cybersecurity Incident

Page last updated on April 11, 2024

T-Mobile US, Inc. initially disclosed a cybersecurity incident in an SEC 8-K filing on 2021-08-16 17:27:02 EDT.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date:
Disclosure Date: 2021-08-16
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2021-08-16

T-Mobile US, Inc. filed an 8-K at 2021-08-16 17:27:02 EDT
Accession Number: 0001193125-21-248002

Item 7.01 Regulation FD Disclosure.

On August 16, 2021, T-Mobile US, Inc. (“T-Mobile,” “we,” “our” or “us”) posted the following statement to its website:

We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed. We take the protection of our customers very seriously and we are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement.

We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed. This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment we cannot confirm the reported number of records affected or the validity of statements made by others.

We understand that customers will have questions and concerns, and resolving those is critically important to us. Once we have a more complete and verified understanding of what occurred, we will proactively communicate with our customers and other stakeholders.

8-K filed on 2021-08-18

T-Mobile US, Inc. filed an 8-K at 2021-08-18 06:07:02 EDT
Accession Number: 0001193125-21-249635

Item 7.01 Regulation FD Disclosure.

On August 17, 2021, T-Mobile US, Inc. (“T-Mobile,” “we,” “our” or “us”) issued a press release providing an update on our ongoing investigation into the recent cyberattack against T-Mobile. We wanted to share the initial findings set forth in this release with stakeholders, even though our investigation may reveal additional facts that cause the details in the release to change or evolve.

A copy of the press release is attached hereto as Exhibit 99.1 and is incorporated herein by reference.

Exhibit No. 99.1

Press Release dated August 17, 2021

8-K filed on 2021-08-20

T-Mobile US, Inc. filed an 8-K at 2021-08-20 07:00:39 EDT
Accession Number: 0001193125-21-251974

Item 7.01 Regulation FD Disclosure.

On August 20, 2021, T-Mobile US, Inc. (“T-Mobile,” “we,” “our” or “us”) posted the following statement to its website:


T-Mobile Shares Updated Information Regarding Ongoing Investigation into Cyberattack (8/20/21)

We have continued to work around the clock on the forensic analysis and investigation into the cyberattack against T-Mobile systems while also taking a number of proactive steps to protect customers and others whose information may have been exposed.

Our investigation is ongoing and will continue for some time, but at this point, we are confident that we have closed off the access and egress points the bad actor used in the attack. Below is what we know to date.

- 	 	We previously reported information from approximately 7.8 million current T-Mobile postpaid customer accounts that included first and last names, date of birth, SSN, and driver's license/ID information was compromised. We have now also determined that phone numbers, as well as IMEI and IMSI information, the typical identifier numbers associated with a mobile phone, were also compromised. Additionally, we have since identified another 5.3 million current postpaid customer accounts that had one or more associated customer names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. These additional accounts did not have any SSNs or driver's license/ID information compromised.

- 	 	We also previously reported that data files with information from about 40 million former or prospective T-Mobile customers, including first and last names, date of birth, SSN, and driver's license/ID information, were compromised. We have since identified an additional 667,000 accounts of former T- Mobile customers that were accessed with customer names, phone numbers, addresses and dates of birth compromised. These additional accounts did not have any SSNs or driver's license/ID information compromised.

- 	 	Separately, we have also identified further stolen data files including phone numbers, IMEI, and IMSI numbers. That data included no personally identifiable information.

- 	 	We continue to have no indication that the data contained in any of the stolen files included any customer financial information, credit card information, debit or other payment information.

- 	 	As we previously reported, approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were exposed. We have proactively reset ALL of the PINs on these accounts. Similar information from additional inactive prepaid accounts was also accessed. In addition, up to 52,000 names related to current Metro by T-Mobile accounts may have been included. None of these data sets included any personally identifiable information. Further, none of the T-Mobile files stolen related to former Sprint prepaid or Boost customers.

We are continuing to take action to protect everyone at risk from this cyberattack, including those additional persons we recently identified. We have sent communications to millions of customers and other affected individuals and are providing support in various ways. This includes:

- 	 	Offering two years of free identity protection services with McAfee's ID Theft Protection Service to any person who believes they may be affected

- 	 	Recommending that all eligible T-Mobile customers sign up for free scam-blocking protection through Scam Shield

- 	 	Supporting customers with additional best practices and practical security steps like resetting PINs and passwords

- 	 	Publishing a customer support webpage that includes information and access to these tools at [https://www.t-mobile.com/brand/data-breach-2021](https://www.t-mobile.com/brand/data-breach-2021)

As we support our customers, we have worked diligently to enhance security across our platforms and are collaborating with industry-leading experts to understand additional immediate and longer-term next steps. We also remain committed to transparency as this investigation continues and will continue to provide updates if new information becomes available that impacts those affected or causes the details above to change or evolve.

8-K filed on 2021-08-27

T-Mobile US, Inc. filed an 8-K at 2021-08-27 08:00:58 EDT
Accession Number: 0001193125-21-258261

Item 7.01 Regulation FD Disclosure.

On August 27, 2021, T-Mobile US, Inc. (“T-Mobile,” “we,” “our” or “us”) posted the following statement to its website:

The Cyberattack Against T-Mobile and Our Customers:

What happened, and what we are doing about it.

By Mike Sievert

CEO, T-Mobile

The last two weeks have been humbling for all of us at T-Mobile as we have worked tirelessly to navigate a malicious cyberattack on our systems. Now with the breach having been contained and our investigation substantially complete, I wanted to take a moment to provide an update and some perspective on where things stand, what we have been doing to take care of impacted people, and the measures we are taking to better protect consumers from future incidents like this.

On August 17th we confirmed that T-Mobile’s systems were subject to a criminal cyberattack that compromised data of millions of our customers, former customers, and prospective customers. Fortunately, the breach did not expose any customer financial information, credit card information, debit or other payment information but, like so many breaches before, some SSN, name, address, date of birth and driver’s license/ID information was compromised. To say we are disappointed and frustrated that this happened is an understatement. Keeping our customers’ data safe is a responsibility we take incredibly seriously and preventing this type of event from happening has always been a top priority of ours. Unfortunately, this time we were not successful.

Attacks like this are on the rise and bad actors work day-in and day-out to find new avenues to attack our systems and exploit them. We spend lots of time and effort to try to stay a step ahead of them, but we didn’t live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry.

As our initial investigation into the incident winds down, I felt it was important to share an update on our work and, importantly, what’s next. We’re fully committed to take our security efforts to the next level as we work to rebuild trust and I want to tell you more about what we have in progress.

What we know about the incident

Through our investigation into this incident, which has been supported by world-class security experts Mandiant from the very beginning, we now know how this bad actor illegally gained entry to our servers and we have closed those access points. We are confident that there is no ongoing risk to customer data from this breach.

We recognize that many are asking exactly what happened. While we are actively coordinating with law enforcement on a criminal investigation, we are unable to disclose too many details. What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.

In short, this individual’s intent was to break in and steal data, and they succeeded.

Since confirming this breach, we have worked around the clock to understand impact and risk to customers and others and have done our very best to be transparent about those impacts as quickly as possible. This is not a one-and-done process. There is much work to do, and this will take time, and we remain committed to doing our best to ensure those who had information exposed feel informed, supported, and protected by T-Mobile.

Taking care of our customers

As our internal investigation has continued, our teams have made supporting our customers a top priority-from answering questions to helping customers get access to tools and best practices that will help them protect their information.

As of today, we have notified just about every current T-Mobile customer or primary account holder who had data such as name and current address, social security number, or government ID number compromised. T-Mobile customers or primary account holders who we do not believe had that data impacted will now see a banner on their MyT-Mobile.com account login page letting them know. We are also now working diligently to notify former and prospective customers. Our goal is to ensure that we are providing clear information about how customers and those affected can protect themselves. So, we have published a web page where we are:

- offering two years of free identity protection services with McAfee’s ID Theft Protection Service to all persons who may have been affected

- 	 	recommending customers sign up T-Mobile's free scam-blocking protection through Scam Shield

- 	 	making Account Takeover Protection available for postpaid customers, which makes it more difficult for customer accounts to be fraudulently ported out and stolen

- 	 	suggesting other best practices and practical security steps like resetting PINs and passwords for all customers.

Our Path Forward

We know that the bad actors out there will continue to evolve their methods every single day and attacks across nearly every industry are on the rise. However, while cyberattacks are commonplace, that does not mean that we will accept them. T-Mobile is taking significant steps to enhance our approach to cybersecurity.

Today I’m announcing that we have entered into long-term partnerships with the industry-leading cybersecurity experts at Mandiant, and with consulting firm KPMG LLG. We know we need additional expertise to take our cybersecurity efforts to the next level-and we’ve brought in the help. These arrangements are part of a substantial multi-year investment to adopt best-in-class practices and transform our approach. This is all about assembling the firepower we need to improve our ability to fight back against criminals and building a future-forward strategy to protect T-Mobile and our customers.

As I previously mentioned, Mandiant has been part of our forensic investigation since the start of the incident, and we are now expanding our relationship to draw on the expertise they’ve gained from the front lines of large-scale data breaches and use their scalable security solutions to become more resilient to future cyber threats. They will support us as we develop an immediate and longer-term strategic plan to mitigate and stabilize cybersecurity risks across our enterprise.

Simultaneously, we are partnering with consulting firm KPMG, a recognized global leader in cybersecurity consulting. KPMG’s cybersecurity team will bring its deep expertise and interdisciplinary approach to perform a thorough review of all T-Mobile security policies and performance measurement. They will focus on controls to identify gaps and areas of improvement. Mandiant and KPMG will work side-by-side with our teams to map out definitive actions that will be designed to protect our customers and others from malicious activity now and into the future. I am confident in these partnerships and optimistic about the opportunity they present to help us come out of this terrible event in a much stronger place with improved security measures.

As we learn and evolve, we will always work to keep you informed of any important updates or relevant changes. I also commit to you that while we’re starting on this path with humility, we will bring to it the same Un-carrier energy that we have used for years to help transform the wireless industry for the benefit of consumers and businesses everywhere.

8-K filed on 2022-07-22

T-Mobile US, Inc. filed an 8-K at 2022-07-22 16:25:03 EDT
Accession Number: 0001193125-22-200065

Item 8.01 Other Events.

On July 22, 2022, T-Mobile US, Inc. (the “Company” or “T-Mobile”) entered into an agreement to settle a consolidated class action lawsuit asserting claims related to a 2021 criminal cyberattack involving unauthorized access to the Company’s systems in which certain information about a number of the Company’s current, former, and prospective customers was compromised. The lawsuit is currently pending in the U.S. District Court for the Western District of Missouri under the caption In re: T-Mobile Customer Data Security Breach Litigation, Case No. 21-md-3019-BCW.

The proposed settlement remains subject to preliminary and final court approval. If approved by the court, under the terms of the proposed settlement, the Company would pay an aggregate of $350.0 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel and the costs of administering the settlement. The Company would also commit to an aggregate incremental spend of $150.0 million for data security and related technology in 2022 and 2023.

The Company anticipates that, upon court approval, the settlement will provide a full release of all claims arising out of the cyberattack by class members, who do not opt out, against all defendants, including the Company, its subsidiaries and affiliates, and its directors and officers. The settlement contains no admission of liability, wrongdoing or responsibility by any of the defendants. Class members consist of all individuals whose personal information was compromised in the breach, subject to certain exceptions set forth in the agreement. The Company believes that terms of the proposed settlement are in line with other settlements of similar types of claims.

Final court approval of the terms of the settlement is expected as early as December 2022 but could be delayed by appeals or other proceedings. The Company has the right to terminate the agreement under certain conditions.

If approved by the court, the Company anticipates this settlement of the class action, along with other settlements of separate consumer claims that have been previously completed or are currently pending, will resolve substantially all of the claims brought by the Company’s current, former and prospective customers who were impacted by the 2021 cyberattack. In connection with the proposed class action settlement and the separate settlements, the Company expects to record a total pre-tax charge of approximately $400 million in the second quarter of 2022.

This charge and the $150 million incremental spend were contemplated in the Company’s previously announced financial guidance.

Company Information