T-Mobile has a cybersecurity problem, and after half a decade, it still hasn’t managed to deal with it.
The country’s second-largest wireless operator disclosed in a regulatory filing on Thursday that the data of 37 million of its customers was stolen in a breach. Security experts say that although the data is not extremely confidential, its compromise could put these people at high risk of being deceived or targeted by cybercriminals.
Sound familiar? That’s because T-Mobile was already dealing with the fallout from a data breach in 2021 that compromised the personal information of nearly 77 million people. T-Mobile agreed to a $500 million settlement in that case in July.
This marks just the latest in a string of incidents stretching back to 2018, a major blot on a company that once championed the “Un-carrier” movement to defend consumers screwed over by the wireless company. The sheer volume of incidents has experts questioning whether staying with the carrier puts you at risk.
“Five breaches in five years,” noted Chester Wisniewski, director of field technology for applied research at security firm Sophos. “People can decide for themselves if they want to stay with T-Mobile.”
While Verizon and AT&T have dealt with data compromises in recent years, they’ve been minor compared to the issues T-Mobile has faced.
In T-Mobile’s most recent compromise, cybercriminals used a company API, or application programming interface, to steal data linked to customers’ accounts. APIs are commonly used features that allow the transfer of data between different software applications.
The stolen data included customer names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and information about what plan features they have with their carrier and number of lines. on your accounts.
T-Mobile on Friday declined to make an executive available for an interview or to comment beyond the statements it has already issued.
In its Thursday press and Securities and Exchange Commission release, the company tried to downplay the value of what was stolen, noting that customers’ financial information and their more private information, such as Social Security numbers, were not compromised.
That’s misleading, said Justin Fier, senior vice president of red-team operations at AI security firm Darktrace.
“I would argue that we shouldn’t oversimplify this,” Fier said, adding that such a trove of consumer profiles could be useful to everyone from nation-state hackers to criminal syndicates.
“There are dozens of ways that stolen information can be weaponized.”
This includes SIM-swapping attacks, where cybercriminals contact a wireless carrier and use stolen personal information to impersonate account holders and then ask for their phone number to be transferred to a new card. YES. Doing so can give them access not only to the wireless number and account, but also to any two-factor authentication codes that may arrive on the phone via SMS.
That’s why, Wisniewski said, it’s important that consumers, especially those engaged in the T-Mobile breach, don’t use SMS as a two-factor authentication method for bank, retirement, cryptocurrency and other critical online accounts.
In addition, all wireless customers should make sure their accounts are protected with a PIN or password, which can also help stop SIM swaps, he said.
Meanwhile, Fier, who spent more than a decade working in counterterrorism before joining Darktrace, said nation-state hackers could also use the data to connect the dots between people for intelligence purposes.
For ordinary people, there is a greater possibility of being targeted by scammers, possibly impersonating T-Mobile, via phone or email. Armed with small pieces of important information, such as account numbers, these scammers will appear much more convincing, he said.
Taking all that into account, Fier, a T-Mobile customer himself, said he won’t be losing much sleep over the breach or switching carriers. He notes that there is still not enough information about how exactly the breach occurred or whether T-Mobile is to blame.
The best thing all consumers can do is increase their personal security by changing their passwords, enabling two-factor authentication whenever possible, and accepting free credit monitoring offers from companies when breaches happen.
Wisniewski was less charitable, saying that based on T-Mobile’s track record over the past few years, he would never recommend them, but noted that the other wireless carriers aren’t exactly perfect either.
“None of these companies are saints,” he said.