T-Mobile, one of the world’s largest telecommunications providers and mobile networks, admitted this week that over 40 million customers had been impacted by a data breach. With a reported 104 million T-Mobile customers, this latest breach has hit a significant number of the user base.
The company released a statement saying “a highly sophisticated cyberattack” was to blame for the exposure.
Of the information breached, social security numbers, names, phone numbers, and account pins were accessed.
Commenting on the news and offering their insights are the following cybersecurity experts:
Trevor Morgan, Product Manager, comforte AG:
“The reported data breach affecting T-Mobile and T-Mobile customers could have significant repercussions across the board. While more details still need to be substantiated (and T-Mobile says they are actively investigating the incident), T-Mobile customers should do what they can to protect against any further compromise by locking down personal credit and other accounts and exercising hyper-vigilance in the days and weeks to come. For T-Mobile, the situation brings up privacy concerns and questions about the level of due diligence they’ve enacted to prevent hacks and data breaches—the outcome, depending on the facts, could include fines, legal action, and of course reputational damage.
The average enterprise, though, has an opportunity to learn from this. T-Mobile is an international company with ample resources at their disposal to prevent situations such as this, but the truth of the matter is that hacks and breaches are inevitable even for the most well-protected enterprise. Defensive methods such as protecting perimeters around data are not fool-proof, and a determined threat actor can always find ways to circumvent this type of data security. Better to investigate data-centric security that protects the data itself instead of the borders around it. Methods such as tokenization replace sensitive data elements with representational tokens, rendering any stolen data useless. Learning from the T-Mobile incident and determining how data-centric security could augment your security posture would definitely be a good call.”
Martin Jartelius, CSO, Outpost24:
“The data that is indicated by preliminary sources point to the kind of information useful in frauds where the identities of others is used. It is very hard for affected individuals to take action at this moment as the actual illegal use of the data wont target those individuals directly but rather be used in attempted frauds against third parties.
Without going into details it is quite unsettling that such large amounts of sensitive information has been both stored in such a manner it could get extracted without detection, as well as the fact those sets of data don’t seem to have been stored encrypted. However it is still too soon to make any certain statements, we can just hope T-Mobile are successful in their investigation and help concerned customers.”
Chris Sedgwick, Security Operations Director, Talion:
“Whilst nothing has been confirmed yet, the report that T-Mobile, a major telecom operator has suffered a major data breach, indicating that sensitive data of up to 100 million customers, including names, mobile numbers, addresses, financial details may be visible to unauthorised actors. This would be classified as sensitive data and could land T-Mobile a heavy GDPR fine. On a practical level, although it is believed no passwords were exposed, the type of data that has been breached such as drivers licence details and Social Security numbers holds significant value to criminals given that this information can be used to enumerate money from victims or to set up bank accounts/loans in their name using these details. Unlike passwords that can easily be changed, the details exposed in this alleged breach are harder to remediate.”
Christos Betsios, Cyber Operations Officer at Obrela Security Industries:
“T-Mobile has now confirmed that it has suffered a data breach, with 7.8 million current customers, and over 40 million former and prospective customers impacted. While it is positive news that no financial information appears to have been accessed, it doesn’t make this breach any less concerning.
According to the latest update from T-Mobile, customer names, dates of birth, phone numbers, ID information and account PINs were exposed. This kind of data is incredibly useful to hackers, as phone numbers and names can be used for phishing scams, while social security numbers, names, dates of birth, and driver’s license information can be leveraged for identity theft.
Affected customers should make use of the ID Theft Protection Service that T-Mobile is offering to customers, but should also work with credit monitoring services to ensure no credit applications are taken out in their names by attackers.
While there can be no denying that data breaches are commonplace today, you would hope a company as large as T-Mobile would learn from previous incidents to harden its systems and improve security. Reports have suggested the company has already been impacted by as many as six separate data breaches, this raises alarm bells and suggests the company’s security program has a number of flaws which need to be addressed.”
Sam Curry, Chief Security Officer, Cybereason:
“As T-Mobile continues an investigation into a recent data breach that has impacted more than 100 million customers, the only people who know the situation right now are on the inside at T-Mobile. I am looking forward to their continued transparency in the days ahead as the investigation continues. They haven’t played the victim card which is wise, and they can only be seen as the hero, never the victim.
This breach is a reminder that as consumers our personal information has been stolen many times over and sold on the DarkWeb. It appears that social security numbers, government ID numbers, drivers’ license information and other personal information is being made available for sale. However, what is most concerning is the availability of mobile phone identity numbers tied to each specific customer’s phone. With a blend of consumer data, criminals can more easily dupe consumers into opening phishing emails and phishing texts.
Data breaches, ransomware attacks and other malicious threats are not receding, only increasing in frequency and severity. We should all be on the lookout for the back-to-school scams and typical post summer resurgence of business that will only likely herald an uptick in attacks while whetting the appetites of cyber criminals to carry out more brazen attacks.”