The T-Mobile Cyberattack Exposed Deep Data on Nearly 48 Million Customers. The recently announced cyberattack against T-Mobile is significant for a number of reasons—including the depth of data exposed. T-Mobile reports the data theft includes first and last names, Social Security numbers, and diver’s license information. The Wall Street Journal notes that criminals could use such a wealth of data to open bank accounts or take out loans in the names of others, or in other ways steal their identities. The newspaper quotes Tom Kelly, president of data-breach response company Identity Theft Guard Solutions Inc., known as IDX, as saying: “You can start forming an identity on somebody when you start saying, ‘I’ve got a name, I’ve got an address, I’ve got a Social Security number, I’ve got a driver’s license.’ You can start putting these things together.” The cyberattack against T-Mobile is also significant because it isn’t the company’s first. Security publication Bleeping Computer reports “This is the sixth major data breach suffered by T-Mobile during the last four years.” The Wall Street Journal quotes Allie Mellen, a cybersecurity analyst at research firm Forrester Inc., as saying: “It seems T-Mobile has not learned from these previous breaches, especially considering they didn’t know about the attack until the attackers posted about it in an online forum.”
T-Mobile’s Data Breach Included Millions of Non-Customers. The New York Times reports that “stolen files included information from approximately 7.8 million current T-Mobile accounts, as well as records of more than 40 million former or prospective customers who had applied for credit with the company.” Vice Magazine, which appears to have been the first to report the data breach, even before T-Mobile, writes: “On the underground forum the seller is asking for 6 bitcoin, around $270,000, for a subset of the data containing 30 million Social Security numbers and driver licenses. The seller said they are privately selling the rest of the data at the moment.”
FCC to Probe T-Mobile Data Breach. Reuters reports that the U.S. Federal Communications Commission (FCC) has announced it will investigate the recent data breach disclosed by T-Mobile. Reuters quotes an FCC spokesperson as saying: “Telecommunications companies have a duty to protect their customers’ information. The FCC is aware of reports of a data breach affecting T-Mobile customers and we are investigating.” Similar sentiment was expressed by Yuan Stevens, a researcher at Ryerson University in Toronto who has studied the 2018 T-Mobile breach. Stevens told The New York Times that T-Mobile’s system of handling security complaints put the onus on consumers to keep their information safe. Stevens added: “I do not think it’s on the individual to protect their data. We should not have to opt out of using services in order to protect ourselves. Instead, institutions should be responsible for protecting consumer data.”
Why Wasn’t the T-Mobile Data Encrypted? That’s a question many security professionals are asking. As a best practice, sensitive information, including the high-value personally identifiable information (PII) that T-Mobile was holding, should be encrypted while sitting on servers, as well as when in transit between computers. Had the T-Mobile PII been encrypted, this would have been a non-story, as the hackers would have simply downloaded data that they couldn’t read.
T-Mobile Hack: How to Protect Your Personal Information After a Data Breach. That’s the very relevant headline from a recent CNET article which provides five logical steps to take:
1. Temporarily freeze your credit
2. Monitor your credit
3. Sign up for identity theft monitoring
4. Use a password manager
5. Don’t wait to take action
Doing all of the above should help to keep you safe from identity theft and other forms of fraud, but as others have noted above, it is onerous to expect the victims to have to fend for themselves after such attacks. Tighter security—and encryption of data—can help protect millions from the next cyberattack.
Clinton A. Pownall is the President & CEO of Computer Business Consultants and has been in the IT field since 1990. Pownall served in the U.S. Navy for six years as a Weapons Systems Technician and has a Bachelor of Science in Computer Engineering. Through Computer Business, he was one of the first to pioneer VoIP technology using satellite communications. He is a member of the Florida Police Chiefs Association, and advises law enforcement agencies on cybersecurity. Pownall serves on several boards and committees and has a strong affiliation with various arts and education groups, local school districts, and served in regional efforts of the Bill & Melinda Gates NextGen Foundation. He’s served as a Vice President of the Board of Director for the Orlando Shakes Theater and is actively involved in the South Lake Chamber of Commerce, West Orange Chamber of Commerce, and the Orlando Economic Partnership.