T-Mobile's CEO offers mea culpaT-Mobile's CEO offers mea culpa

T-Mobile's CEO, Mike Sievert, penned an apology to customers over the operator's recent hack.

"Attacks like this are on the rise and bad actors work day-in and day-out to find new avenues to attack our systems and exploit them," Sievert wrote on the company's website. "We spend lots of time and effort to try to stay a step ahead of them, but we didn't live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry."

The remorse is noteworthy considering T-Mobile's "uncarrier" marketing position often involves direct, fiery attacks on its competitors. Sievert's post Friday contained none of that.

Further, Sievert put the blame squarely on T-Mobile's shoulders. "Keeping our customers' data safe is a responsibility we take incredibly seriously and preventing this type of event from happening has always been a top priority of ours. Unfortunately, this time we were not successful," he wrote.

That's also noteworthy considering Sievert's T-Mobile predecessor, former CEO John Legere, made sure to explain that it was T-Mobile's credit vendor Experian that was at fault for a similar breach into the company's customer data in 2015. "At T-Mobile, privacy and security is of utmost importance, so I will stay very close to this issue and I will do everything possible to continue to earn your trust every day," Legere wrote at the time.

Six years later, Sievert offered a similar promise: "There is much work to do, and this will take time, and we remain committed to doing our best to ensure those who had information exposed feel informed, supported, and protected by T-Mobile."

A look at the perpetrator

Sievert suggested that T-Mobile's latest hack involved a relatively sophisticated attack. "While we are actively coordinating with law enforcement on a criminal investigation, we are unable to disclose too many details," he wrote. "What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data."

That, however, is not the same picture painted by the purported hacker himself, who spoke with the Wall Street Journal this week. According to the publication, John Binns, a 21-year-old American who moved to Turkey a few years ago, "managed to pierce T-Mobile's defenses after discovering in July an unprotected router exposed on the Internet. He said he had been scanning T-Mobile's known internet addresses for weak spots using a simple tool available to the public."

Binns told the WSJ that "generating noise was one goal," but he did not say whether he sold any of T-Mobile's data or whether he was paid to break into the company's systems.

Others who spoke with the WSJ suggested T-Mobile's systems appeared to be insecure. "That to me does not sound like good data management practices," Glenn Gerstell, a former general counsel for the National Security Agency, told the publication of the details of the hack.

Lawyers and consultants

As a result, it comes as little surprise that T-Mobile is now facing a number of lawsuits over the breach.

"The lawsuit seeks to recover damages on behalf of all T-Mobile customers who were affected by the data breach," law firm Federman & Sherwood wrote in a release.

Sievert said the company is working on a number of strategies to address the situation, including offering affected customers McAfee's ID Theft Protection Service and T-Mobile's Scam Shield service.

"Today I'm announcing that we have entered into long-term partnerships with the industry-leading cybersecurity experts at Mandiant, and with consulting firm KPMG LLG," Sievert added. "We know we need additional expertise to take our cybersecurity efforts to the next level – and we've brought in the help. These arrangements are part of a substantial multi-year investment to adopt best-in-class practices and transform our approach. This is all about assembling the firepower we need to improve our ability to fight back against criminals and building a future-forward strategy to protect T-Mobile and our customers."