Ask an Expert: History Repeated with Another T-Mobile Data Breach

Ask an Expert: History Repeated with Another T-Mobile Data Breach

T-Mobile has been in the headlines often for all the wrong reasons – multiple data breaches that have affected millions of customers. The telecom giant has a history of struggling to keep its users’ information safe. Understandably, these events caused an uproar among customers, and they were quick to demand answers and improved security measures. Keep reading for a look into the history of T-Mobile data breaches, the most recent 2023 T-Mobile Data Breach and how it affected current and prospective customers, and statements from our Director of Cybersecurity.

 

The Summarized History of T-Mobile’s Data Breaches

Since 2018, nine hacks have been disclosed by T-Mobile, with half being in the last three years. These previous breaches ranged from the following:

2018-2020

  • August 2018: About 3% of customers (2.3 million) were affected by unauthorized access to personal customer data, including the name, billing zip code, phone number, email address, account number, and account type of users.
  • November 2019: Less than 1.5% of customers (over a million) were affected by unauthorized access to name, billing address, phone number, account number, rate, plan, and calling features (such as paying for international calls).
  • March 2020: Unknown amount of customers affected by unauthorized access to names and addresses, phone numbers, account numbers, rate plans, and billing information.

 

2021-2023

  • January 2021: Less than 0.2% of customers were affected by unauthorized access to name, phone number, account number, and billing address.
  • February 2021: Unknown amount of customers were affected with unauthorized access to names, addresses, email addresses, account numbers, social security numbers (SSNs), account personal identification numbers (PIN), account security questions and answers, date of birth, plan information, and the number of lines subscribed to their accounts.
  • August 2021: 40 million former or prospective customers affected with unauthorized access to names, date of birth, SSN, and driver’s license/ID information, were compromised. 7.8 million customers were affected by unauthorized access to name, date of birth, SSN, and driver’s license/ID information, as well as 5 million customers affected with unauthorized access to phone numbers, as well as IMEI and IMSI information.
  • December 2021: “A very small amount of customers” experienced SIM Swap Attacks – meaning a SIM card assigned to a mobile number on their account may have been illegally reassigned or limited account information was viewed.
  • April 2022: Stolen source code after T-Mobile employees’ credentials were stolen online. No government or customer data were compromised.
  • January 2023: In November 2022, 37 million customers were affected by unauthorized access to name, billing address, email, and phone number. This breach wasn’t discovered until months later, in January 2023.

 

Although this list may seem extensive, it doesn’t include other bugs and vulnerabilities discovered at T-Mobile over the years.

 

2023 T-Mobile Data Breach: T-Mobile’s Response

After the most recent breach earlier this year, T-Mobile wrote in its SEC disclosure that since 2021, they have made a “substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity.” They state that they’ve made substantial progress since and backed their statement by pledging $150 million toward enhancing their cybersecurity.

All things considered, we can only hope to see the results and benefits of their cybersecurity improvements, as T-Mobile claims that protecting customer data is their top priority.

 

Potential Impacts On Current and Prospective T-Mobile Customers

​​The latest data breach by T-Mobile will likely negatively impact current and prospective customers. As news of the recent breach spreads and more awareness is made about T-Mobile’s long history of breaches, people may have become wary of trusting their personal information with T-Mobile and may take their business elsewhere. It may also cause some customers to question the overall security of T-Mobile’s systems, and as a result, they may choose not to use their services.

It can be challenging to trust a company that has had multiple data breaches in its history. Still, it’s important to remember that T-Mobile has taken immediate action following its numerous breaches. They invested heavily in improved security measures and are now working to enhance their cybersecurity.

 

Class Action Lawsuit for January 2023 T-Mobile Data Breach

T-Mobile isn’t the first organization to suffer multiple breaches over the years, and it certainly won’t be the last. Though T-Mobile has acted quickly over the years to shut down breaches, address customers’ concerns, and offer settlements. A recent Class-Action Lawsuit was filed against them for the most recent breach announced in January 2023 breach. The lawsuit states, “T-Mobile failed to exercise “reasonable care” in safeguarding the private information of millions of consumers from a data breach announced around January 20, 2023.” Learn more about the class action lawsuit here.

 

 

The Future of T-Mobile After Its Numerous Data Breaches

The 2023 T-Mobile data breach and the prior breaches have been unfortunate events that left many of its customers feeling violated over the years. Though events like these are unprecedented, it becomes a bit concerning when they repeatedly occur to a company of this size. Since its most significant breach in 2021, T-Mobile has announced its efforts to enhance cybersecurity by pledging $150 million toward the cause and working with leading cybersecurity experts to transform its approach to cybersecurity. We have seen quick responses after past breaches and hope to see improvement in the future.

 

Ask An Expert: FAQ with Edge Networks’ Director of Cybersecurity

What are the most common causes of data breaches?

This is a great question; I believe that the most common causes of data breaches are misconfigurations and human error. Specifically, ensuring that MFA is enabled, and if not, that is considered misconfiguration. An example of human error would be to accept a request asking for approval to allow login if it is not actually you requesting the access.

 

T-Mobile has disclosed nine hacks since 2018. Why does it keep happening?

Very tough to say. T-Mobile is a national carrier with a lot of information, which makes its organization a desirable target. Cybersecurity is not one-size-fits-all. The best an organization can do is ensure they’re following a well-established security framework and aligning themselves with it.

 

Should I switch providers if my current one has suffered a data breach?

Honestly, one would probably run out of options if you tried that. A lot of organizations have been breached. I personally do not believe you have to switch providers. However, I also do not believe an organization is more secure after a breach than before.

 

How can I determine if a company is trustworthy and will handle my data safely?

This is a most excellent question! Ask the company if they have a SOC2 type 2 report that they can share. If they don’t, and the data you plan on having them work with is critical, you might consider walking away. If more consumers asked businesses for this information, they would work towards achieving a higher cybersecurity posture.

 

How can organizations protect themselves from data breaches?

Treating cybersecurity investments as if they were the paper your organization needed to operate. Cybersecurity should never be an afterthought, and organizations need to prepare and budget.

  1. Establish a security framework, and work towards “checking” all the boxes.
  2. Ensure that you have security awareness training for all
  3. Setup Multi-Factor Authentication (MFA)
  4. Work with partners that can help secure and align your business

 

How should organizations respond after a data breach?

All organizations should be 100% TRANSPARENT. Many laws are coming down the pipeline for organizations. In fact, a few states that already have stronger notification laws in place, such as California. It’s not unrealistic to believe several others will be following their lead. Work on the plan that was hopefully implemented before the breach occurred.

 

Conclusion

For many people, the latest T-Mobile data breach has left them concerned and vulnerable. If you have any questions or concerns, feel free to contact us. We’d love to chat with you!

Don’t Be the Next Company Sending Out a Notice of Data Breach Letter

Don’t Be the Next Company Sending Out a Notice of Data Breach Letter

Why do so many companies fail to take data security seriously? From what we have seen, companies fail to take data cybersecurity seriously enough for the following reasons:

 

  • They believe that ensuring compliance with a security framework, such as FISMA or NIST, is enough.
  • They haven’t experienced a security breach in the past, so they don’t believe they’ll deal with a security breach in the future.
  • They don’t want to deal with the hassle and/or don’t have the knowledge to find and implement the right security solutions.

 

Does anything listed above sound familiar? Most businesses are surprised when reality strikes them and they must write their clients, consumers or patients a letter with the subject line: Notice of Data Breach.

To help you get prepared for if disaster strikes, we have created a FREE Cybersecurity Incident Response Plan template that you can implement in to your business, which you can find at the end of this post.  

 

Yet another example of a company’s failure to take preventive measures against computer security breaches

Today that “Notice of Data Security Incident” letter came to me from The Oregon Clinic , and alarms went off in my head. For the past 2 ½ weeks, I have lived, breathed and dreamt about cybersecurity and what the implications are to a business who does not take the steps necessary to prevent these “incidents” from occurring in the first place. And now I am seeing it not only as it pertains to The Oregon Clinic, but to their patients.

Their letter starts like this: “I am writing to inform you of a data security incident that may have involved your personal information. At The Oregon Clinic, we take the privacy and security of your information very seriously. This is why I am contacting you, offering you identity monitoring services, and informing you about steps that can be taken to protect your personal information.”

 

Person doing paperwork for notice of data breach

It goes on to outline the when, what, and how they plan to resolve this “incident”.

  1. On March 9, 2018, The Oregon Clinic learned that an unauthorized third-party accessed an email account.
  2. The Oregon Clinic immediately disabled the account and began an investigation to determine what had occurred and whether protected health information (PHI) may have been affected.
  3. Cybersecurity experts were engaged, including a digital forensics firm, to determine the nature and extent of the incident.
  4. On April 19, 2018, the investigation determined that PHI may have been affected. This information included patient’s name, date of birth, and certain medical information (that may include medical record numbers, diagnosis information, medical condition, diagnostic tests performed, prescription information and/or health insurance information).
  5. They determined that the incident was restricted to one email account and did not affect any other aspect of The Oregon Clinic’s network.
  6. In addition to their investigation, they are offering additional steps patients can take to protect personal information. This is an identity monitoring service for 12 months at no cost through Experian.
  7. And, lastly, they give recommendations to protect your personal information, (which is a long and arduous task as anyone that has had their personal information/identity put at risk knows). 

 

In an article by Scot Gudger, CEO at The Oregon Clinic, he issues the following statement to Health Data Management:

“We are very sorry this happened and apologize to the patients who have been affected by this incident. We value our patients and will continue to work closely with cybersecurity experts to remediate this situation, and, most importantly, are taking steps to help prevent similar incidents from happening in the future.”

 

This mindset of “Oh we’re sorry, and NOW we will take steps to prevent this” is becoming less and less acceptable in a world where hackers are always looking for that one company with an out of date AV or Firewall, or no IDS/IPS, or the plain and simple mindset of “it won’t happen to us”.

Don’t let yourself become another number in the world of cyber-attack statistics. Your staff and customers deserve the best from you. 

If you’re looking to be more proactive in your cybersecurity incident response plan, we’ve created an outline of five critical components yours should have. Read more about it below.

If you’re unsure of whether or not your network is secure, take our free, self-guided IT Security Risk Assessment, or contact us today for a free, 30-minute consultation.

 

Download a Free Cybersecurity Incident Response Plan Template