T-Mobile US — recurring data breaches 2018-2023

What happened

T-Mobile US disclosed its most significant data breach on 16 August 2021, revealing that an attacker had obtained personal data on approximately 76.6 million current, former and prospective customers. The exposed data included names, addresses, dates of birth, Social Security numbers, driver’s licence numbers, IMEI numbers, and in some cases, phone numbers and account PINs. The scale and sensitivity of the dataset made the 2021 breach the dominant incident in a long record of T-Mobile security failures.

The 2021 breach was publicly claimed by John Binns, a 21-year-old US citizen living in Izmir, Turkey, who gave an interview to the Wall Street Journal while the investigation was still ongoing. Binns described T-Mobile’s security controls as “awful” and provided a contemporaneous account of how the breach was executed. He was later arrested in Turkey in April 2022 on US federal charges.

T-Mobile settled a class action arising from the 2021 breach for $350 million in 2022 — the largest settlement in US telco privacy litigation history — and committed contractually to spending an additional $150 million on cybersecurity improvements through 2024. In January 2023, T-Mobile disclosed a second significant breach, this time affecting approximately 37 million customer accounts via a separate API vulnerability. The 2023 breach occurred during the period in which T-Mobile was contractually committed to the $150 million security investment programme.

The company’s broader breach record includes incidents in 2018 (approximately 3 million customers), November 2019 (1 million prepaid customers), March 2020, April 2020, and others — making it the most breached major US telco by both count and cumulative exposure.

How it worked

The 2021 breach began with an internet-exposed GPRS gateway router. Binns identified the exposed device through internet scanning, gained access to it, and used it as an initial foothold to move laterally inside T-Mobile’s internal network. From there, he reached T-Mobile’s customer-data environment and downloaded the records of 76.6 million individuals across multiple T-Mobile customer segments — postpaid, prepaid, and prospective customers who had submitted applications.

The lateral movement from a gateway device to a customer-data database containing Social Security numbers and driver’s licence information reflects a network segmentation and access control failure: the gateway device should not have had a path to high-sensitivity customer data stores. Binns described the internal movement as relatively straightforward once the initial foothold was established, consistent with flat or insufficiently segmented network architecture.

The 2023 breach used a different vector: an API that did not adequately authenticate the requesting entity and that could be queried to retrieve account data for any T-Mobile customer. The attacker used an automated process to enumerate the API over a period of approximately six weeks before T-Mobile detected the activity, downloading data on 37 million accounts. The API vulnerability and the exploitation pattern were both distinct from the 2021 gateway router intrusion, indicating that the 2021-to-2023 security investment had either not addressed the API attack surface or had not done so effectively.

The FCC investigated T-Mobile’s repeated breach history and reached a $31.5 million settlement in 2024 requiring T-Mobile to invest at least $15.75 million in security improvements and to modernise its identity and authentication practices. The settlement cited specifically the recurrence of incidents as evidence of inadequate security programme governance.

Timeline

• January 2018 — T-Mobile discloses breach affecting approximately 3 million customers.
• August 2018 — T-Mobile discloses breach of approximately 2 million prepaid customers.
• November 2019 — T-Mobile discloses breach of approximately 1 million prepaid customers.
• March–April 2020 — T-Mobile discloses two additional smaller breaches.
• August 2021 — John Binns accesses T-Mobile through an exposed gateway router; downloads records on 76.6 million customers. T-Mobile discloses 16 August 2021.
• August 2021 — Binns claims responsibility in Wall Street Journal interview.
• 2022 — T-Mobile settles class action for $350 million; commits to $150 million security investment. John Binns arrested in Turkey.
• January 2023 — T-Mobile discloses breach via API vulnerability affecting approximately 37 million customers; attacker active for six weeks before detection.
• 2024 — FCC announces $31.5 million settlement with T-Mobile covering the pattern of repeated breaches.

What defenders should learn

The T-Mobile record is the most prominent case study in the question of whether public commitments to security investment translate into measurably reduced breach risk. T-Mobile made a $350 million settlement commitment and a $150 million security investment pledge in 2022, then disclosed a 37-million-customer API breach in January 2023 while those commitments were in effect. This does not mean the investments were wasted, but it demonstrates that investment commitments measured in dollars do not map simply to security outcomes. The relevant question is not “how much are you spending” but “what specific control gaps are you closing, by when, and how are you verifying that the gaps are actually closed.”

The 2021-to-2023 sequence also demonstrates the difference between remediating the incident that just happened and addressing the control environment that permitted the incident. After 2021, T-Mobile remediated the specific vulnerabilities that Binns exploited. The 2023 breach used a different vector — API authentication — that was apparently not adequately addressed in the post-2021 review. Comprehensive post-breach remediation requires not just patching the specific holes found but assessing the entire attack surface class that the incident revealed. If an attacker found an exposed device via internet scanning, the remediation question is not only “which device was exposed” but “how do we ensure no other devices are exposed on the internet without our knowledge.” If an attacker exfiltrated data via an insufficiently authenticated API, the question is not “which API endpoint was vulnerable” but “how do we audit the authentication status of every API endpoint in our estate.”

For telecoms specifically, the T-Mobile incident record makes the case for mandatory minimum data-security standards. T-Mobile holds, for virtually every active account, the combination of phone number and account information that enables SIM-swapping — the attack technique used to bypass SMS-based two-factor authentication at banks, crypto exchanges, and other services. That combination makes telco customer data a second-order key to financial accounts for millions of people. The sensitivity of that data deserves a regulatory treatment commensurate with its systemic importance.