“We didn’t live up to the expectations we have for ourselves to protect our customers,” CEO Mike Sievert said in a blog post Friday.
Companies have been targets of large-scale hacks like this for years, and the battle between hackers and cybersecurity defenders has generally been characterized as a never-ending arms race. But in the past several months, legislators and the White House have increasingly stepped up their pressure on companies to improve their security or potentially face stricter consequences.
The breach is the fourth in five years for T-Mobile, according to Allie Mellen, a security and risk analyst at research firm Forrester. That suggests the company’s security just isn’t up to the task, despite the general rise in attacks.
“The challenging thing is that it’s very difficult to know from the outside why things like this keep happening. The simplest answer, which is usually the one that’s correct, is that they’re just not putting the effort that they need in to make sure their customers are secure,” Mellen said. “They’ve shown time and time again that they don’t care about the safety of their customers’ data.”
In his blog post, Sievert said the company had hired cybersecurity firm Mandiant and consultants KPMG to advise it on improving security.
T-Mobile disclosed the hack on Aug. 17, after a story published in tech publication Motherboard saying the carrier had been hit. The company initially called the attack “highly sophisticated” and said it was investigating what happened.
But on Thursday, the Wall Street Journal reported that a 21-year-old American living in Turkey said he was behind the hack. He said he had broken in after finding an unprotected router on T-Mobile’s network.
“The term ‘highly sophisticated attack’ has lost meaning given the recent string of breaches that we’ve seen. It is a phrase that is used by these companies to take away some of the blame from them,” Mellen said. “This is not a sophisticated attack at all.”
In the blog post, Sievert said the company had patched the security gaps that allowed the hacker to get in. He said the company couldn’t discuss details of the attack because of an ongoing law enforcement investigation, but said the hacker used “knowledge of technical systems, along with specialized tools and capabilities” to get into T-Mobile’s systems.
“We are confident that there is no ongoing risk to customer data from this breach,” Sievert said. “We’re fully committed to take our security efforts to the next level as we work to rebuild trust.”
Hacks such as the T-Mobile breach have happened at a steady drumbeat over the last several years, meaning the personal information of nearly every American is now readily available for purchase on the Internet. But with the increased frequency of a ransomware attacks — where hackers not only steal data but also lock out companies from their computer systems — politicians and regulators are starting to put more pressure on companies to improve their security.
In May, after a ransomware attack led to the shutdown of the Colonial Pipeline, President Biden signed an executive order requiring federal agencies and the companies they work with to begin improving their standards for cybersecurity. Legislators have proposed requiring all companies that provide critical infrastructure like pipelines and water systems to meet minimum standards as well. The $1 trillion infrastructure bill passed by the Senate earlier this month also includes over $2 billion in funding for cybersecurity initiatives.
Chris Velazco contributed to this report.