Person traveling with backpack and an iPhone



In August of 2021, Vice’s Motherboard broke the story of a hacker who claimed to have the personal details of 100 million people, retrieved from a T-Mobile server. According to Motherboard, the information included “social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information.”  Motherboard, in contact with the hacker, verified a sample of the data as accurate T-Mobile customer information.

The hacker began shopping around a 30-million-person subset of the data, with the rest of the data being sold privately.

T-Mobile later confirmed the data breach, ejected the hacker and closed the backdoor. It’s worth noting that this is not the first T-Mobile breach that exposed customer data. T-Mobile reported breaches in 2018, 2019 and 2020 as well.

Just days later, the culprit identified himself as 21 year old Virginia native, John Binns, now living in Turkey, in an interview with the Wall Street Journal. Binns says the attack was intended to harm US infrastructure in retaliation for what he claims is mistreatment at the hands of US law enforcement agencies.

Binns claims he first infiltrated T-Mobile's network through an unprotected router in July before gaining access to a data center where was able to then probe over 100 servers. Binns has not admitted to being financed by a third party, or if he had help from inside T-Mobile, but did admit to WSJ that he needed help accessing T-Mobile databases.

The incredible takeaway from a breach like this is that your data, ostensibly safe with your vendor or provider, may not just be breached for a financial gain, but also as a political act. That kind of conviction can be just as much of a motivator as a payday.

As the rationale for such a large scale hack expands, and the avenues to pull it off grows, it is absolutely critical to remain vigilant with the vectors you can control, and to have trust in the organizations managing your data for the vectors you can’t. The firms you share and store data with should have very good reputations and world class policies in place. This, of course, applies to both business and your own personal accounts.