Background
On January 5, 2023, T-Mobile US, Inc. in a filing today with the U.S. Securities and Exchange Commission, identified that a bad actor was obtaining their data without authorization and had collected almost 37 million records! Any guesses as to what could be the reason for this data breach (Hint: Optus Australia data breach)? Yes, it was again an abuse of an unsecured Application Programming Interface (“API”) without authorization!
Although this is the 2nd largest data hack on T-Mobile, looks like things haven’t changed for the better. In August 2021, T-Mobile acknowledged that hackers made off with PII data on ~40 million current, former or prospective customers who applied for credit. T-Mobile agreed to pay $500 million to settle all class action lawsuits and pledged to spend $150 million towards cybersecurity upgrade. Customers in the class action, could get around $25 to $100 in compensation (depending on class action administrator) while T-mobile reported revenues of nearly $20 billion in the third quarter of 2022 alone! Now with the second hack being reported, will the customers still trust that T-mobile has done enough to protect their data? We might have to leave it to the customers of T-mobile to decide!
What data were stolen by the hackers?
The customers’ data lost includes personally identifiable data (PII) and account information such as:
– Customer name
– Billing address
– Email
– Phone number
– Date of birth
– Account number
– Lines and plan features
Impact of the breach on T-mobile customers
- Data stolen and exposed in this breach may certainly be used for identity theft
- Customers should fully expect to see phishing attacks impersonating the company
What could the reasons for so many large scale breaches?
While large corporations are spending millions on Cybersecurity to mitigate daily attacks on their ICT infrastructure , the number of cyber attacks have shown no indication of slowing down. The increased threat requires additional monitoring, training, awareness, constant upgrades and patching more than ever before.
Many corporations are yet to move their systems into Zero trust framework (or are in the process of moving) and the hackers will continue to exploit such vulnerabilities. It takes a tremendous amount of energy and focus to make this change and without proper leadership support and budgets being made available, it will be hard to mitigate the impact of breaches.
Security cannot be an after thought, it has to be in-built into the design of systems. Writing API code while without due consideration being given to authentication and authorization is considered a serious design flaw. To add on top of it, if the technical reviews, change control board (CAB) reviews and InfoSec reviews did not catch this flaw, it also highlights a major problem in security process as well.
What can customers do to reduce risks?
- Consider removing your phone number from as many online accounts as possible. Your phone has now become an identity tool (specially for Multi factor authentication) and anyone having access to it is a huge risk.
- Use an alternate email than your personal email when registering at company websites.
- Consider and question the need for providing so many identifiable information to companies (even for points). For e.g. the seller of groceries has no need of your phone or email address.
- When opening a business with any company, ask them about their plans to protect the data they are collecting. Ask simple questions such as: Why do you need this data? How will this data be used and stored? How long will the data be stored? How will the data be removed or how can your data to be removed upon request?
- Move your business to companies that have better security practices and standards. Your money makes all the difference and helps companies focus on data protection if they have not done so before.
Conclusion
Consider the human aspects of the equation as well. Security standards are constantly being upgraded and not every one likes the constant reminders to complete long training sessions on Cyber security until the impact of such thought process is clearly articulated and communicated to all employees. Sometimes the whole responsibility is left to a few handful cyber security experts in a company instead of this being treated as a collective responsibility.
It would be prudent for large and small companies to take a view that there already exist security holes in their systems and then start working on finding and fixing them rather than just relying on external traffic monitoring or a few auditors.
If you found this article helpful, kindly drop a comment or follow us to keep reading such useful articles!