T-Mobile US data breach (Binns)

In August 2021, John Binns — a 21-year-old American citizen living in Turkey — claimed authorship of one of the larger U.S. telecom-sector data breaches. The intrusion exposed personal information on 76.6 million current, former, and prospective T-Mobile customers, and Binns described his motive publicly to the press as retaliation for treatment by U.S. and German government agencies.

It became the canonical case for GGSN exposure and the lone-actor lever against large telecom infrastructure.

What happened

The entry vector was unusual: T-Mobile had an unauthenticated GGSN router (Gateway GPRS Support Node — the network element handling internet routing for mobile devices) accessible from the public internet. The router's management interface had no authentication requirement at all.

Binns, in his Wall Street Journal interview, described scanning T-Mobile's IP space for accessible services. He found the GGSN around 19 July 2021, used it as a pivot into T-Mobile's internal network, and over the next 27 days queried internal Oracle databases for customer records.

The exfiltrated data included:

• For current and former postpaid customers (~7.8 million): names, dates of birth, Social Security numbers, driver's license / ID numbers.
• For prepaid customers (~850,000): names, phone numbers, account PINs.
• For "prospective customers" (~40 million): people who had submitted credit-check applications but never become T-Mobile subscribers — names, DOB, SSN, driver's license numbers all retained from credit checks years earlier.
• For all (~76.6 million total): device IMEIs/IMSIs.

A criminal listing for 30 million of the records appeared on the Raid Forums marketplace on 13 August, priced at 6 BTC (~$270,000). The listing surfaced before T-Mobile had detected the intrusion internally; T-Mobile confirmed the breach publicly two days later.

Self-disclosure

Binns gave a remarkable interview to the Wall Street Journal on 26 August 2021, eleven days after T-Mobile's disclosure. He:

• Identified himself by name.
• Stated his current location: Izmir, Turkey.
• Described T-Mobile's security as "awful".
• Cited treatment by U.S. and German agencies — claiming he had been previously detained, allegedly tortured, and forcibly hospitalised — as motivation.
• Said he had received approximately $270,000 from intermediaries for partial data resale via the ShinyHunters group.

Binns is a U.S. citizen and has not been arrested. He remains in Turkey; the U.S. has not, to public knowledge, requested extradition. The legal status of pursuing him is complicated by his citizenship and the lack of a clear treaty path between the U.S. and Turkey for cybercrime.

Impact

• 76.6 million customers had personal information exposed, including ~7.8M current/former postpaid with full PII, ~40M credit-check applicants with SSNs and DLs.
• $350M class action settlement preliminarily approved in 2022.
• $31.5M FCC consent decree (Sept 2024) split between civil penalty and mandatory cybersecurity investment — and citing this incident together with three subsequent T-Mobile breaches (2022 API abuse, 2023 API abuse, 2023 personal data) in a single enforcement action.
• Direct remediation, investigation, and customer notification: ~$200M+.
• Brand and subscriber-churn impact: hard to estimate but contributed to a measurable T-Mobile customer-satisfaction decline through 2022.

Pattern of T-Mobile incidents

The 2021 breach was the largest in a continuing sequence:

• 2018 — 2 million customer breach.
• 2019 — prepaid customer breach.
• 2020 — employee email account breach.
• 2021 (this incident) — 76.6M.
• January 2023 — 37M postpaid customer API breach.
• April 2023 — additional disclosed PII breach.

The FCC's 2024 consent decree treated the cumulative pattern, not the 2021 incident alone, as the violation.

Why it matters

T-Mobile 2021 is the canonical case for telecom-infrastructure misconfiguration at scale. It established:

• That gateway-class routers (GGSN, packet gateways, GTPv2 elements) are reachable from the public internet at large telecoms and are valuable pivots into broader internal infrastructure. The configuration error was a missed authentication requirement on a single device; the blast radius was 76 million customer records.
• That "prospective customer" retention of full PII for credit-check applicants is a major hidden liability. T-Mobile had retained SSNs and DL numbers for ~40 million people who had never become subscribers — a population that had effectively no expectation of T-Mobile retaining their data.
• That lone-actor breaches at telecom scale are operationally feasible when the perimeter is misconfigured. Binns required no team and no insider; he found one open door and walked through it.
• That the FCC has become a meaningful telecom cybersecurity regulator, with the 2024 consent decree marking a significant escalation from prior FCC enforcement posture.