In August 2021, John Binns — a 21-year-old US citizen living in Turkey — exploited an improperly secured T-Mobile testing environment that had been exposed to the internet, gaining access to T-Mobile’s internal IT infrastructure. Using this access he reached and exfiltrated data for approximately 54.6 million current, former, and prospective T-Mobile customers. Exposed data included Social Security numbers, names, dates of birth, addresses, driver’s license numbers, and unique IMEI numbers for approximately 13.1 million current customers, plus additional data for former prepaid and prospective customers. Binns later claimed responsibility in a Wall Street Journal interview, saying he gained access in approximately two weeks and that T-Mobile’s security was ‘awful.’ T-Mobile agreed to a $350 million class action settlement and committed $150 million to cybersecurity improvements, for a total remediation commitment of $500 million. T-Mobile had suffered at least four prior major breaches (2018, 2019, 2020, and 2021). Binns was later arrested in Turkey in 2022 in connection with SIM swapping attacks.