Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Cellphones Privacy

T-Mobile CEO Apologizes For Data Breach Affecting Over 53 Million Users (nbcnews.com) 26

"T-Mobile CEO Mike Sievert published an open apology to customers Friday after hackers stole more than 50 million users' personal data, including their Social Security numbers and driver's license information," reports NBC News: "The last two weeks have been humbling for all of us at T-Mobile," he wrote. "To say we are disappointed and frustrated that this happened is an understatement."

The incident is the fourth known breach at T-Mobile since 2018, and by far the largest. The full count of how many customers had their data stolen is unclear, but the company said last week it had identified more than 53 million affected customers, most of them on subscription plans. It also included an unspecified number of "prospective" users who are not T-Mobile customers...

It is unclear why T-Mobile was storing customers' driver's license information and Social Security numbers without encrypting them in a way that would make it difficult or impossible for hackers to see them even if they stole them. Jackie Singh, a cybersecurity consultant, said it was irresponsible on the part of T-Mobile, especially for hard-to-change sensitive personal data like Social Security numbers.

"It is frankly bizarre to learn that in this day and age, a major telco continues to store critical customer data in plain text," she said. "Offering two years of credit monitoring services doesn't change the fact that harm was done to their customer base."

NBC says they spoke to the person identified as the perpetrator by the Wall Street Journal, who told them last week that he'd planned to sell the information on more than 100 million users for a hefty profit.

Meanwhile, T-Mobile's CEO now says they're alerting affected users and have set up a hub for victim services. Beneath the words "NOTICE OF DATA BREACH," it adds the tagline "Keeping you safe from cybersecurity threats. What you need to know and how we're protecting you."
This discussion has been archived. No new comments can be posted.

T-Mobile CEO Apologizes For Data Breach Affecting Over 53 Million Users

Comments Filter:
  • Victim Services. Now if that's not a great band name, what is?

    • Most companies have security teams to attempt to prevent breaches, but with four breaches and counting, T-Mobile spends their money on a hub to help the victims after they've been breached. From a really cynical viewpoint, I'm not surprised at all that they've been breached again: there are only three mobile phone providers in the U.S. now, so there aren't a lot of alternatives to T-Mobile. It doesn't sound like the first three breaches really hurt their bottom line and there are no significant fines levi
      • there are only three mobile phone providers in the U.S. now, so there aren't a lot of alternatives to T-Mobile.

        I use a T-Mobile MVNO. I use their network, but T-Mobile doesn't have my data for a hacker to steal.

        • Are you sure? Private data of "an unspecified number of "prospective" users who are not T-Mobile customers" was also given away. They said "users" and you said you use their network. If you use their network then T-Mobile might consider you a "prospective" customers. Nobody knows how many of these ghost lists they are on. Expect you letter to show up shortly.
  • Vs say compensating everyone for their screw up
    • It's sad that in 2021 the US still doesn't seem to have significant legal penalties for businesses that cause such large personal data leaks apparently through basic security failures.

      If a breach of this scale, involving data of this significance happened in Europe, and if it really was caused by a negligent failure to apply basic security and data protection measures, potential fines with nine figures would be on the table.

    • by Bruce66423 ( 1678196 ) on Saturday August 28, 2021 @04:00PM (#61739515)

      Oh - does that make your company bankrupt? What a shame. I suggest you sue your auditors for not asking the right questions about the IT security regime...

      • Don't forget to add 'plus documented customer losses' so if the customer has lost $10 million it must be covered.
        Also add shareholder responsibility in cases like these.

      • A good review of the exclusive casino [luckycasino.co.za] https://luckycasino.co.za/ [luckycasino.co.za] on this site can be read. I was specifically looking for a sensible site where they will not hide the disadvantages of the casino, this is one of the most honest. At the casino itself, I play slots and sometimes poker, it turns out to win only 300 bucks a month so far, but this is not bad either.
    • by suss ( 158993 )

      Pretty much this. Saying sorry doesn't cost a thing and doesn't help any of the victims.

  • But what are you going to do about it? Are you going to fix your shit and (try to) prevent this from happening again or are you just going to sit back and do nothing and then have to repeat this exercise the next time a data breach happens? Put your money where your mouth is!
  • by 140Mandak262Jamuna ( 970587 ) on Saturday August 28, 2021 @11:34AM (#61738663) Journal
    Problem is the lenders advancing loans to every Tom Dick or Harry who claims to XYZ without any serious verification. Then going after the real person, long after the event, after lots of debt and interest and charges have been incurred, and demand the real person to prove he/she was not the person who borrowed. This is insane. In no other country the borrower has to prove "I did not borrow the money". It is the lender who has to prove "I lent the money to this person".

    Instead of going after lax security at T-Mobile, lets work to make the information stolen useless to commit fraud. Let T-Mobile ask for consent from its users and formally tell all the credit reporting agencies,

    "The identity of the following person has been compromised. Any lender going after this person should prove the borrower is this real person, not some fraudster. The customer is giving legal announcement if any lender sues them wrongfully, they need to bear the entire cost of defense".

    Sue a few lenders on behalf its customers who become victims of identity theft and get a precedent setting ruling.

    • âoe Instead of going after lax security at T-Mobileâ Letâ(TM)s do bothâ¦
      • And while we are at it have slashdot fix quotes âoe apostrophes â continuations ⦠and all other escape characters
      • Lax security at T-Mobile is a separate issue.

        The information stolen should not be this valuable. We can not fix the security in every company that knows our name, address and may be social security number. We need to make that information worthless. That is the way to protect us from ALL possible security lapses regarding identity. Taking T-Mobile to task and blaming is playing whack-a-mole. That's what the big banks and lenders want us to do. So that they get the marginal benefit of making loan for an im

  • If Jackie Singh really is a cybersecurity consultant, I doubt they said "encrypting." You might want to hash a social security number but that's different from encrypting. Regardless, the reason T-Mobile likely was storing SSNs was to facilitate credit checking and credit reporting. It's amazing the effort exerted in the US to regulate banking to protect the economy at the macro level but there is very little we do to protect individual economic interests. Something like a US. GDPR might help, but the reali
  • by RitchCraft ( 6454710 ) on Saturday August 28, 2021 @12:29PM (#61738819)
    "Keeping you safe from cybersecurity threats. What you need to know and how we're protecting you."
  • I switched to t mobile recently out of frustration from smaller carriers having spotty coverage. I've tried a bunch of smaller alternative carriers but have had problems getting signal sometimes in places that are city centers.

    I figured going to a big carrier would fix that problem. It definitely did. And now I have a new problem, which is likely identity theft. What a great onboarding package.

  • I worked at a telecom for several years analyzing customer churn. Most of the analysts in the company had full access to credit bureau information and augmented data sets that were sold by Equifax and others at the time. We could create comprehensive profiles of our customers - the credit info was quite useful for predicting customer attrition, but there was very low security. This was 10+ years ago but the level of access was pretty massive and widely accessible using simple SQL. Many companies have lo
  • The hackers were "exceptionally skilled" and got the data through "highly advanced techniques".
    "Security is our top priority", and "we take protecting our customers' data very seriously".
    We have "engaged a top security firm" and "taken steps to ensure this doesn't happen again".

    Did I miss any?

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro

Working...