T-Mobile Hacked For The Eighth Time In Five Years (original) (raw)

from the zero-accountability dept

T-Mobile hasn’t been what you’d call competent when it comes to protecting its customers’ data. The company has now been hacked numerous times just since 2018, with hackers at one point going so far as to publicly ridicule the company’s lousy security practices.

Case in point: T-Mobile just revealed in an SEC filing (spotted by TechCrunch) that the company was just hacked for the eighth time in five years. This time impacting the privacy and security of 37 million T-Mobile subscribers.

According to T-Mobile, starting in late November a “bad actor” managed to obtain the personal data (including names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers and information such as “the number of lines on the account and plan features.”) As is usually the case with such breaches, T-Mobile issued a statement trying to downplay it:

“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network.”

The intruder abused an API and didn’t directly access T-Mobile’s systems. But such statements are generally worthless, as the scope of such breaches usually tend to grow in scale as investigators dig deeper. An intrusion found in the fall can be the launchpad for a worse intrusion in the spring.

As with so many modern companies, T-Mobile over-collects data, then doesn’t take the necessary steps to protect said data. It then lobbies U.S. lawmakers to ensure we don’t shore up U.S. privacy protections (as it did when Congress gutted the FCC’s fairly modest broadband privacy rules, or when it lobbies to kill federal reform), and the cycle repeats itself in perpetuity.

T-Mobile has a bit of a history of being sloppy with the vast location data it collects on users, then fighting tooth and nail against whatever slapdash accountability U.S. regulators can feebly muster. T-Mobile recently dramatically expanded the company’s collection of user browsing and app usage data via a new program dubbed “app insights.”

We’ve built a reality where nobody consistently holds giant companies accountable for lax privacy and security standards. As a result, said companies see little meaningful incentive to improve, given they now view modest and pathetic fines levied by feckless U.S. regulators (who, by design, lack the resources to tackle privacy issues at any real scale) as a reasonable cost of doing business.

Filed Under: adtech, anonymization, clickstream, fcc, location data, privacy, security, telecom, wireless
Companies: t-mobile