T-Mobile, Again
Half a dozen breaches in five years made T-Mobile the case study in what happens when a carrier becomes a habitual loser of customer data.
In August 2021, T-Mobile disclosed that an attacker had stolen the personal data of approximately fifty-four million current, former, and prospective customers — Social Security numbers, driver's license details, IMEIs, and in some cases account PINs. The attacker, a young man living in Turkey, later gave a media interview describing the intrusion as the result of "awful" T-Mobile security: a single unprotected GGSN router exposed to the internet, accessible with default credentials.
A repeating pattern
T-Mobile's 2021 incident was not isolated. The company had disclosed notable customer-data breaches in 2018, 2019, 2020, and 2023, in addition to the headline 2021 event. Multiple class actions consolidated; a $350 million settlement followed in 2022. The Federal Communications Commission in 2024 imposed an additional $31.5 million civil penalty and required T-Mobile to invest several hundred million dollars more in security controls under a consent decree.
The recurrence drew explicit comment from regulators, who treated the pattern itself — rather than any single intrusion — as the underlying problem. Internal accounts that have surfaced through litigation suggest a security program perennially outpaced by the volume of data the company held and the speed of its merger-driven IT integration.
What the chronicle remembers
T-Mobile is the standing example of breach recurrence as a strategic condition rather than a series of accidents. The case is increasingly cited in policy proposals — sector-specific regulation, mandatory minimum controls, executive personal liability — that take serial failure as a signal regulators ought to act on directly.