America's FCC Orders T-Mobile To Deliver Better Cybersecurity (csoonline.com) 6
T-Mobile experienced three major data breaches in 2021, 2022, and 2023, according to CSO Online, "which impacted millions of its customers."
After a series of investigations by America's Federal Communications Commission, T-Mobile agreed in court to a number of settlement conditions, including moving toward a "modern zero-trust architecture," designating a Chief Information Security Office, implementing phishing-resistant multifactor authentication, and adopting data minimization, data inventory, and data disposal processes designed to limit its collection and retention of customer information.
Slashdot reader itwbennett writes: According to a consent decree published on Monday by the U.S. Federal Communications Commission, T-Mobile must pay a $15.75 million penalty and invest an equal amount "to strengthen its cybersecurity program, and develop and implement a compliance plan to protect consumers against similar data breaches in the future."
"Implementing these practices will require significant — and long overdue — investments. To do so at T-Mobile's scale will likely require expenditures an order of magnitude greater than the civil penalty here,' the consent decree said.
The article points out that order of magnitude greater than $15.75 million would be $157.5 million...
After a series of investigations by America's Federal Communications Commission, T-Mobile agreed in court to a number of settlement conditions, including moving toward a "modern zero-trust architecture," designating a Chief Information Security Office, implementing phishing-resistant multifactor authentication, and adopting data minimization, data inventory, and data disposal processes designed to limit its collection and retention of customer information.
Slashdot reader itwbennett writes: According to a consent decree published on Monday by the U.S. Federal Communications Commission, T-Mobile must pay a $15.75 million penalty and invest an equal amount "to strengthen its cybersecurity program, and develop and implement a compliance plan to protect consumers against similar data breaches in the future."
"Implementing these practices will require significant — and long overdue — investments. To do so at T-Mobile's scale will likely require expenditures an order of magnitude greater than the civil penalty here,' the consent decree said.
The article points out that order of magnitude greater than $15.75 million would be $157.5 million...
Hahaha (Score:2)
Yes sir! Right away sir!
Re: (Score:2)
Cyber Security Scales (Score:2)
Re: (Score:2)
Cyber Security scales.
Yes and no: Building a 3-level house from scratch, costs a little more than a 2-level house from scratch. Lifting a house and building under it, doubles the cost of the house. If "modern zero-trust" means the latter to T-mobile, of course, they didn't modernize their online security.
Contrary to the claims of the US uber-rich, capitalism doesn't produce better outcomes but it's easier to hide externalities.
There is no excuse ...
Sure there is, profit: There's limited liability for bad security and even less responsibility be
Zero trust architecture (Score:3, Insightful)
I see that there's a lot of talk about "Zero trust architecture", but it seems to me that it's only part of the solution since it only talks about mutual authentication.
What it doesn't say is that part of security is to compartmentalize. Don't let two systems share the same data segment. That way you'd even prevent the attempt to authenticate towards the wrong system.
Another factor that flies under the radar so to say is software upgrades. At a software upgrade on either side of a trusted system there's a risk that some new features were added that suddenly introduces a security threat that can't be easily detected.
Then we have the security risk of centrally managed networks. What if the central network management team is hacked? Realize that they are the goldmine strike for hackers. In a large business even having a zero trust between various sites is important down to the lowest network level. Each site shall be able to work standalone and disconnected from the other parts of the corporate network. There are features shared between sites that can be accepted to be lost, but it should keep a reasonable operational level.
With a high level of centralization of network management there's yet one more factor involved - the ability to understand a local site and know what's important for that site as well as being able to handle problems around lost connectivity. It's impossible for someone in India to see if it's a power outage or an ISP problem in the UK, the only thing they can see is that the site is offline.
Nothingburger (Score:2)
Even $157 million is just a slap on the wrist for a company as big as T-Mobile.