On August 14th, the world learned of a data breach affecting nearly 100 million T-Mobile customers. T-Mobile, one of the biggest mobile communications service providers in the United States and the world, learned that precious data that was stored in their own servers was compromised. Included in this breach were Social Security Numbers, phone numbers, full names, dates of birth, and driver’s license information. In addition, this data is not just from current customers of T-Mobile—millions of people who just applied for accounts or who had applied for credit with T-Mobile were compromised. That means that even people who are not customers of T-Mobile now must worry about their information being sold to someone else. T-Mobile has acknowledged the attack and confirmed there is no further threat, but has provided minimal guidance to customers on how they can protect themselves beyond the customary 2 years of credit monitoring services. What is even more concerning is that T-Mobile has only briefly reached out to customers who have had their data stolen by sending them a text. The language of the text is below:
“T-Mobile has determined that unauthorized access to some of your information, or others on your account, has occurred, like name, address, phone number and DOB. Importantly, we have NO information that indicates your SSN, personal financial or payment information, credit/debit card information, account numbers, or account passwords were accessed. We take the protection of our customers seriously. Learn more about practices that keep your account secure and general recommendations for protecting yourself: t-mo.co/Protect”
It is unclear how this attack happened, but the method for accessing T-Mobile’s servers was closed off shortly after the attack occurred, says the seller of the compromised data. Suffice to say, when someone has all of that data, it is relatively easy to impersonate someone and open up accounts under their guise. That is the reason the seller listed an offer price of 6 bitcoin—nearly $270,000. While that number may not seem too high for millions of different customers’ data, these customers face a looming threat for years down the road. As far as offering guidance on how to navigate the future with your data being stolen, T-Mobile has offered 2 free years of identity protection through McAfee, suggested setting up T-Mobile’s Scam Shield service, and recommended other resources to mitigate identity theft such as a credit lock. The question remains: has T-Mobile done enough, both for this attack and for future attacks?
T-Mobile at least wants their customers—future, former, and current—to think so. T-Mobile announced a partnership with cybersecurity experts Mandiant—a FireEye subsidiary—, and KPMG. The hope is that Mandiant and KPMG can review T-Mobile’s current cybersecurity infrastructure and offer guidance on best practices to keep it safe. What is still missing from their blog report is the notion that they have not identified a more comprehensive way to notify customers that their data has been breached. Are these responses from T-Mobile enough to keep their current customers? Only time will tell.