The chief executive of T-Mobile US Inc. apologized to customers for a security breach that has exposed personal data from more than 50 million people and said the wireless company was working to strengthen its cyber defenses.

The Bellevue, Wash., company on Friday said it struck long-term partnerships with cybersecurity firm Mandiant and consulting firm KPMG LLG after the hack of its systems that exposed millions of Social Security numbers, birth dates and other data.

“We didn’t live up to the expectations we have for ourselves to protect our customers,” CEO Mike Sievert wrote in a public letter. “Knowing that we failed to prevent this exposure is one of the hardest parts of this event.”

John Binns, a 21-year-old American who moved to Turkey a few years ago, told The Wall Street Journal he was behind the security breach. He said the company’s lax security eased his path into a cache of T-Mobile records. “Their security is awful,” Mr. Binns told the Journal.

It wasn’t immediately clear whether Mr. Binns worked alone or with help. T-Mobile said Friday the attacker first pierced the company’s testing environments before gaining access to other systems through brute-force attacks and other methods.

The breach is the third major customer-data leak that T-Mobile has disclosed in the past two years. The company is the second-largest U.S. mobile carrier with roughly 90 million cellphones connecting to its networks.

The Seattle office of the Federal Bureau of Investigation is investigating the incident, the Journal reported. Mr. Sievert said T-Mobile is cooperating with law enforcement on a criminal investigation.

Mr. Sievert, who joined T-Mobile in 2013, took over as the company’s CEO in 2020 from longtime boss John Legere. The handoff happened just as the carrier was closing the takeover of its rival, Sprint Corp., forming a bigger nationwide carrier to compete with peers AT&T Inc. and Verizon Communications Inc.

“We know we need additional expertise to take our cybersecurity efforts to the next level—and we’ve brought in the help,” Mr. Sievert wrote in Friday’s letter.

He said T-Mobile hired Mandiant to conduct a forensic investigation since it learned about the incident. KPMG’s cybersecurity team will review T-Mobile’s security policies and performance measurement, Mr. Sievert said.

“To say we are disappointed and frustrated that this happened is an understatement,” Mr. Sievert said. He added that the company is confident that it has closed the security hole the hacker accessed and that there isn’t an ongoing risk to customer data from the hack.

The company has notified nearly all current T-Mobile customers or primary account holders who had their data compromised, Mr. Sievert said. Among other measures, the company is offering two years of free identity-protection services with McAfee’s ID theft protection to those who might have been affected by the breach, he said.

Write to Dave Sebastian at dave.sebastian@wsj.com and Drew FitzGerald at andrew.fitzgerald@wsj.com