hack – Techdirt (original) (raw)

Millions Of AT&T Customer Call, Text Message Records Leaked

from the here-we-go-again dept

Hey, remember when the FCC tried to implement some really basic consumer privacy protections for wireless and broadband but AT&T convinced GOP Senators to kill those efforts before they could even take effect? Good times.

Anyway, AT&T has revealed that the detailed call and text message data of millions of customers were “illegally download” from a third-party cloud platform. According to the telecom giant, the data includes the phone numbers of “nearly all” AT&T customers, as well as a record of every number AT&T customers called or texted, when the communications happened, and how long the exchanges were.

Unlike a different recent leak of data from roughly 73 million AT&T customers to the open web (which the company tried to pretend somehow hadn’t happened), AT&T’s being far more up front about this breach, providing an entire website explaining the scope of the problem:

“At this time, we do not believe the data is publicly available. We continue to work with law enforcement in their efforts to arrest those involved. Based on information available to us, we understand that at least one person has been apprehended.”

On the plus side, the leak doesn’t seem to include the actual contents of the text messages and calls in question — that we know of. But the breach did reveal cell site identification numbers linked to the calls and texts, meaning physical user location data may have also been compromised.

It sounds like AT&T only discovered this latest attack after it began investigating its previous one, indicating that they might not ever have never known it happened if Troy Hunt, security researcher and owner of data breach notification site Have I Been Pwned, hadn’t revealed the first one.

It’s worth noting at this point that AT&T has been a relentless champion of dismantling any and all efforts to impose privacy oversight of telecom. You might recall that in 2017 the FCC finally imposed some basic privacy safeguards for wireless and broadband networks, that AT&T successfully lobbied GOP Congressmen to kill via the Congressional Review Act before they could even take effect.

That AT&T works in almost perfect synchronicity with the GOP to ensure that U.S. consumer protection (on privacy and everything else) is as broken and feckless as possible isn’t context most mainstream news outlets think is worth mentioning as important context.

Filed Under: breach, cell phone, consumers, data leak, fcc, hack, privacy, texts, wireless
Companies: at&t

Hackers Gained Access To The Sensitive Data Of 36 Million Comcast Customers

from the whoops-a-daisy dept

Wed, Dec 20th 2023 05:32am - Karl Bode

Hackers have managed to obtain the personal data of 36 million Comcast customers.

In a notice sent to customers on Monday, Comcast announced that hackers had exploited the “CitrixBleed” vulnerability in Citrix networking devices that’s been a problem since at least August. Hackers gained access to a significant portion of Comcast systems between October 16 and October 19, but the company didn’t notice the intrusion until October 25.

It’s taken almost two months for Comcast to identify the scope of the intrusion, determine what data was accessed, and inform customers of the hack, which gave the hackers access to usernames, security questions, contact information, dates of birth, the last four digits of user social security numbers, and hashed passwords (Comcast doesn’t say what encryption algorithm was used).

Comcast attempted to downplay the scope of the hack by insisting they haven’t (yet) seen any instance of the data being used against Comcast customers. Not that they’d have any way to actually know that:

“We are not aware of any customer data being leaked anywhere, nor of any attacks on our customers”

Comcast currently has around 32.3 million broadband customers (and dropping), and 14 million or so TV customers (dropping even faster). I’m a broadband customer (Comcast has a monopoly at my address) and have yet to receive any notification whatsoever.

The Comcast hack — and the telecom giant’s 8 week delay in informing customers — comes as the FCC is considering new rules that would require broadband providers to do a better, faster job informing customers about data breaches. The effort is being uniformly opposed by Republicans, who consistently side with big telecom when it comes to the industry’s never-ending quest for zero accountability.

Filed Under: breach, broadband, cable, hack, privacy
Companies: comcast

from the unintended-consequences dept

We’ve spilled a great deal of ink discussing the GDPR and its failures and unintended consequences. The European data privacy law that was ostensibly built to protect the data of private citizens, but which was also expected to result in heavy fines for primarily American internet companies, has mostly failed to do either. While the larger American internet players have the money and resources to navigate GDPR just fine, smaller companies or innovative startups can’t. The end result has been to harm competition, harm innovation, and build a scenario rife with harmful unintended consequences. A bang up job all around, in other words.

And now we have yet another unintended consequence: hacking groups are beginning to use the GDPR as a weapon to threaten private companies in order to get ransom money. You may have heard that a hacking group calling itself Ransomed.vc is claiming to have compromised all of Sony. We don’t yet have proof that the hack is that widespread, but hacking groups generally both don’t lie about that sort of thing or it ruins their “business” plan, and Ransomed.vc has also claimed that if a buyer isn’t found for Sony’s data, it will simply release that data on September 28th. So, as to what they have, I guess we’ll just have to wait and see.

The hack was reported by Cyber Security Connect, which said that a group calling itself Ransomed.vc claimed to have breached Sony’s systems and accessed an unknown quantity of data. “We have successfully compromissed [sic] all of Sony systems,” Ransomed.vc wrote on its leak sites. “We won’t ransom them! we will sell the data. due to sony not wanting to pay. DATA IS FOR SALE … WE ARE SELLING IT.”

The site said the hackers posted some “proof-of-hack data” but described it as “not particularly compelling,” and also said that the file tree for the alleged hack looks small, given the group’s claim that it had compromised “all of Sony’s systems.” A price for the hacked data isn’t posted, but Ransomed.vc did list a “post date” of September 28, which is presumably when it will release the data publicly if no buyers are found.

But what really caught my attention was the description of how this particular group was going about issuing threats to its victims in order to collect ransoms. And part of the group’s reputation is that it compromises its victims and then hunts for GDPR violations, building ransom requests that are less consequential than what the GDPR violation fines would be.

While the hackers say they’re not going to ransom the data, Ransomed.vc apparently does have a history of doing so, with a unique twist: Cybersecurity site Flashpoint said in August that Ransomed takes “a novel approach to extortion” by using the threat of the European Union’s General Data Protection Regulation (GDPR) rules to convince companies to pony up. By threatening to release data that exposes companies to potentially massive GDPR fines, the group may hope to convince them that paying a little now is better than paying a whole lot later.

“The group has disclosed ransom demands for its victims, which span from €50,000 EUR to €200,000 EUR,” Flashpoint explained. “For comparison, GDPR fines can climb into the millions and beyond—the highest ever was over €1 billion EUR. It is likely that Ransomed’s strategy is to set ransom amounts lower than the price of a fine for a data security violation, which may allow them to exploit this discrepancy in order to increase the chance of payment.”

And so because of the mess that the GDPR is, combined with its remarkable level of fines, the end result is that in some respects the EU has empowered rogue hacking groups to act as its enforcement wing for GDPR. And that both sucks and certainly isn’t what the EU had in mind when it came up with this legislative plate of spaghetti.

Frankly, this has some parallels to other unintended boondoggles we’ve seen. What is making the hacking industry such a rich endeavor? Well, in part it’s the cyber-insurance industry and its habit of paying out the bad actors because it’s cheaper than helping their customers recover from ransomware and other attacks. All of which encourages more hacking groups to compromise more people and companies. GDPR appears to now operate in the same way for bad actors.

Well meaning or otherwise, when legislation purported to protect private data and interests instead proves to be a weapon in the hands of the very people most interested in compromising those private data and interests, it’s time to scrap the thing and send it back to the shop to be rebuilt, or discarded.

As to what this Sony hack actually is, for that we’ll have to wait and see.

Filed Under: eu, fines, gdpr, hack, ransomware, threats
Companies: sony

3CX Knew Its App Was Being Flagged By AV Platforms, Did Very Little During Supply Chain Attack

from the whoops dept

If you don’t use the 3CX VoIP platform, or work in the MSP space with companies that do, you may have missed the news that the company suffered a massive supply chain attack over the past few days. With comparisons being made to the SolarWinds fiasco, this was really, really bad. Unsuspecting clients of 3CX had Windows and Mac versions of the app to hundreds of thousands of customers deployed on their computers with malware snuck inside. That malware called out to actor-controlled servers, which then deployed more malware designed to allow for everything from browser hijacking to remote-takeover of the computer entirely. A hacking group associated with the North Korean government is suspected to be behind all of this.

Security firm CrowdStrike said the infrastructure and an encryption key used in the attack match those seen in a March 7 campaign carried out by Labyrinth Chollima, the tracking name for a threat actor aligned with the North Korean government.

The attack came to light late on Wednesday, when products from various security companies began detecting malicious activity coming from legitimately signed binaries for 3CX desktop apps. Preparations for the sophisticated operation began no later than February 2022, when the threat actor registered a sprawling set of domains used to communicate with infected devices. By March 22, security firm Sentinel One saw a spike in behavioral detections of the 3CXDesktopApp. That same day, 3CX users started online threads discussing what they believed were potential false-positive detections of 3CXDesktopApp by their endpoint security apps.

Here’s the problem with that last paragraph: the detections for the malicious code actually began before Wednesday, March 29th. In an updated ArsTechnica post, it turns out that customers were noting that some AV agents were flagging the 3CX installer and app going all the way back to March 22nd, a week earlier. And these customers were noting this on 3CX’s own community forums.

“Is anyone else seeing this issue with other A/V vendors?” one company customer asked on March 22, in a post titled “Threat alerts from SentinelOne for desktop update initiated from desktop client.” The customer was referring to an endpoint malware detection product from security firm SentinelOne. Included in the post were some of SentinelOne’s suspicions: the detection of shellcode, code injection to other process memory space, and other trademarks of software exploitation.

Others were, in fact, seeing the same thing. These customers were busy writing exceptions for the application, figuring that a signed/trusted app from the manufacturer itself was likely resulting in a false negative. Other users followed suit. 3CX remained silent until Tuesday, March 28th.

A few minutes later, a member of the 3CX support team joined in the discussion for the first time, recommending that customers contact SentinelOne since it was that company’s software triggering the warning. Another customer pushed back in response, writing:

Hmmm… the more people using both 3CX and SentinelOne get the same problem. Wouldn’t it be nice if you from 3CX would contact SentinelOne and figure out if this is a false positive or not? – From provider to provider – so at the end, you and the community would know if it is still save and sound?

This is, of course, precisely what should have happened. Instead, the 3CX rep said there were too many AV providers to go out there and call them all. Then he or she mentioned that they don’t control the antivirus software, but instructed the user to “feel free to post your findings” once they had called SentinelOne themselves.

Those findings were on display for everyone the following day when the attack and compromise of 3CX became very, very public.

You really would think that after SolarWinds first and Kaseya second, tech companies would know better than to ignore this sort of thing and actually talk to the security firms that are flagging their products.

Filed Under: antivirus, hack, supply chain attack, vulnerability
Companies: 3cx

Hackers Claim To Have Breached T-Mobile More Than 100 Times Last Year

from the you-truly-suck-at-this dept

Thu, Mar 2nd 2023 05:46am - Karl Bode

Back in January, we noted that T-Mobile had recently revealed it had been hacked eight times over the last five years. But a new report by security expert Brian Krebs suggests it could be far worse than that. According to Krebs, hackers are making a compelling case that they’ve managed to compromise the wireless giant’s network and internal systems 100 times in just 2022 alone:

Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device.

T-Mobile’s problems have been twofold. One, the company has been repeatedly busted for over-collecting and selling sensitive U.S. consumer location data. Two, the company has repeatedly failed to stop SIM hijackers from porting user identities out from under their feet (often with T-Mobile employee help), then robbing them blind:

Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.

The wild thing is none of this is really new. T-Mobile has been fined numerous times for these behaviors, but like most U.S. regulatory fines, they’re a tiny fraction of the money made (or saved) from over-collecting and monetizing user data or cutting corners on security practices. It’s a modest cost of business that’s quickly factored in… and promptly ignored.

T-Mobile routinely proclaims that it’s dedicated to learning from its failures, but it continues to not only fight the belated, modest wrist slap fines from agencies like the FCC, but it keeps expanding the scope of the data it collects (see its recently unveiled “App Insights” program”). You also have to wonder how much energy spent on a merger nobody wanted could have gone toward shoring up security.

It’s another example of how the regulatory oversight and penalty structure we have in place to “protect consumer privacy” is utterly feckless. We desperately need a competently crafted privacy law for the internet era that imposes meaningful penalties for companies (and executives personally) that repeatedly fail to protect consumer data. And regulators with the staff, money, and competence to consistently enforce them.

But we don’t do that because very few people in meaningful positions of power genuinely want to upset the very profitable data monetization apple cart. Even if not doing so repeatedly results in widespread market, consumer, and reputational harm. Until we erect meaningful penalties for being security imbeciles, these kinds of scandals are only going to get worse until they culminate in the kind of scandal it will be impossible for those in power to ignore.

Filed Under: hack, privacy, security, telecom, wireless
Companies: t-mobile

Cellebrite Accidentally Leaked Thousands Of Sensitive Documents During Handover To Japanese Corporate Partner

from the as-if-someone-hooked-up-a-Cellebrite-to-Cellebrite dept

When a Cellebrite device is hooked up to a seized phone, the operator presses a few buttons to pull pretty much every bit of data from the device. From there, investigators can try to find the evidence they’re seeking. While the FBI continues to claim device encryption is preventing law enforcement from accessing evidence, plenty of private companies are providing solutions to the problem the FBI claims is unsolvable without backdoors.

It looks as though Cellebrite cellebrited itself a few years ago. Somehow, during normal day-to-day business operations involving its Japanese stakeholder, it performed a data dump of epic proportions that ultimately made its way into the hands of Japanese regulators. Omar Benjakob has the exclusive report for Israeli news outlet, Haaretz.

Sensitive and confidential information relating to intelligence, defense and law enforcement agencies across the globe, including the FBI and Interpol, leaked from Israeli firm Cellebrite, according to court documents cleared for publication at Haaretz’s request.

The information is from 2015-2017 and includes almost half a million emails belonging to senior officials and directors at Cellebrite, their internal communications and exchanges with clients, invoices and even contracts.

These documents first ended up in the hands of Cellebrite’s main shareholder, the Japanese Sun Corporation. From there, they went to Japanese government authorities, who were investigating whether Sun Corporation made use of this sensitive Cellebrite info to engage in insider trading.

All of this was done without the knowledge of Cellebrite’s many customers, who had their internal discussions shared with a stakeholder (which may have been expected to have some access to proprietary info) and Japanese authorities. It also appears to have happened without the knowledge of Cellebrite, which then approached its legal reps to assess the potential fallout of this unexpected leak.

In one of the documents, lawyers hired by Cellebrite wrote: “It is our belief that should the knowledge that such sensitive information was provided to the Japanese authorities be disclosed to Cellebrite customers, it may cause severe reputational damage to Cellebrite (with such clients and others).”

“Cellebrite customers are likely to request to receive from Cellebrite complete disclosure relating to the information disseminated to the foreign authorities, in order to evaluate their exposure,” according to the legal opinion written at Cellebrite’s behest in 2018 and whose publication was cleared by Israeli courts last week.

It’s not just the proprietary info, insight into Cellebrite’s customer base, and internal communications that raise these concerns. It’s also a criminal act in many countries to disseminate sensitive information linked to national security efforts or criminal investigations, even if done inadvertently or without malice. The exposure of this leak could see Cellebrite investigated and charged for mishandling this sensitive information.

The leak shows plenty of government agencies around the world are either current or former customers, including the FBI, DHS, US Marshals Service, ICE, the Royal Canadian Mounted Police, Interpol, the UK Ministry of Defence, and, more oddly, entities like NASA and the Russian embassy in Tokyo.

With all this exposed, thanks to a lawsuit between Cellebrite and consultant David Spector, Cellebrite is playing belated defense, claiming this is nothing more than showboating by Spector and that its massive leak never harmed anyone, much less the now-publicly traded company.

The documents, Cellebrite said, were added to the lawsuit by Spector “for PR purposes only, and with the clear knowledge that this suit is baseless, does not hold water and does not hold any public interest.”

Cellebrite stressed that “the event described in this report happened five years ago and did not have any effect whatsoever on the company’s activities.”

Well, the “PR purposes” part of it appears to be working, even if that was not Spector’s intent. Cellebrite no doubt assures customers their communications, as well as the trade secrets that make Cellebrite worth purchasing, will be well-protected. A massive leak like this is far from reassuring.

As for this having no effect on the company’s activities… well, that remains to be seen. When the leak was still a secret, it may have had minimal effect. But now it’s public knowledge, and that could have some negative effects on Cellebrite’s future.

Filed Under: data breach, david spector, hack, leak
Companies: cellebrite, sun corporation

Avoidable Viasat Satellite Hack Causes Headaches Across Europe And Ukraine

from the as-predicted dept

Thu, Mar 24th 2022 05:20am - Karl Bode

For literally more than a decade researchers have been warning that global satellite telecommunications networks were vulnerable to all manner of attacks. These attacks vary in nature but allow an intruder miles away to both intercept and disrupt satellite communications. In 2020 hackers again clearly demonstrated how these perpetually unresolved vulnerabilities were putting millions of people at risk.

Fast forward to 2022 and a major hack of Viasat’s satellite systems has caused, you guessed it, massive problems for an estimated 27,000 users. The attack on Viasat’s KA-SAT satellite system, suspected to be the work of the Russian government, appears to have been intended to disrupt Ukraine communications in the lead up to war, but managed to impact a very large chunk of Europe:

Viasat told Reuters that the cyberattack Viasat says was made possible courtesy of a misconfiguration in a “management section” of its network. The impact was severe enough that many users of the satellite in Germany, the UK, France, the Czech Republic, and elsewhere found that their modems had effectively been bricked and “rendered unusable.”

Thousands still remain offline across Europe—around 2,000 wind turbines are still disconnected in Germany—and companies are racing to replace broken modems or fix connections with updates. Multiple intelligence agencies, including those in the US and Europe, are also investigating the attack. The Viasat hack is arguably the largest publicly known cyberattack to take place since Russia invaded Ukraine, and it stands out for its impact beyond Ukraine’s borders. But questions about the details of the attack, its purpose, and who carried it out remain—although experts have their suspicions.

Such spillover impact is routine in such attacks. The attack not only impacted basic broadband connectivity, 5,800 wind turbines in Germany were knocked offline, preventing them from being reset remotely should problems develop.

Again, this could have been avoided if companies had heeded researchers and white-hat hacker warnings. But instead, the dominant paradigm tends to be to try and silence those researchers, or misdirect our attention toward security and privacy issues that grab easy headlines, but are less of a direct threat (see: the two year long Trump-era freak out about TikTok).

Vulnerabilities such as the ones in satellite networks, or the massive, obvious security and privacy problems in the “internet of broken things” sector, tend to be downplayed and ignored because they’re “boring” for the press and politicians. As a result, there’s little incentive to do better. Wash, rinse, and repeat.

Filed Under: broadband, cybersecurity, hack, hacking, russia, satellite, telecom, ukraine, vulnerability
Companies: viasat

Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones

from the whoops-a-daisy dept

Thu, Oct 21st 2021 10:55am - Karl Bode

Wireless subscribers of Verizon’s Visible prepaid service received a rude awakening after hackers compromised their account, then ordered expensive new iPhones on their dime. Last week a company statement indicated that “threat actors were able to access username/passwords from outside sources,” then utilize that access to login to Visible customer accounts. Hacked users say the attackers then utilized that access to order expensive kit, and, initially, getting Visible to do anything about it was a challenge:

Great, someone hacked my @visible account, purchased iPhone using my PayPal, and changed the password. @visiblecare is not responding. Scammer also tricked me with email spams in an effort to make me miss any email notifications from Visible.

— Kristian Kim (@kristiankim) October 13, 2021

The company seemed to initially claim this was an instance of “credential stuffing,” or hackers obtaining login information obtained from other hacks or breaches of other services, then testing those logins in as many services as they can find. But experts doubted that claim, noting that the company had been complaining about issues with its chat services before acknowledging the hack. More specifically, Visible support reps were telling users that ambiguous “technical issues” had left it incapable of making any changes to customer accounts.

There are also questions about when the company knew about the hacks, with it initially trying to claim last week that the hack and subsequent iPhone orders were an ordinary system error:

Although Visible made a public statement yesterday, the company first acknowledged the issue on Twitter on October 8. At the time, Visible provided a vague reason: order confirmation emails erroneously sent out by the company.

“We’re sorry for any confusion this may have caused! There was an error where this email was sent to members, please disregard it,” the company told a customer.

Again, this is where just a basic, internet-era privacy law requiring greater transparency (and perhaps a little more accountability for industries and executives that not only keep failing to secure user data, but clearly aren’t great about being honest with their users) would come in kind of handy. Instead we keep just looking at the problem and shrugging because purportedly drafting competent privacy laws with any competency is deemed impossible, letting the repercussions pile up.

Filed Under: breach, data breach, hack, prepaid service, visible
Companies: verizon

Company That Handles Billions Of Text Messages Quietly Admits It Was Hacked Years Ago

from the whoops-a-daisy dept

Tue, Oct 5th 2021 06:47am - Karl Bode

We’ve noted for a long time that the wireless industry is prone to being fairly lax on security and consumer privacy. One example is the recent rabbit hole of a scandal related to the industry’s treatment of user location data, which carriers have long sold to a wide array of middlemen without much thought as to how this data could be (and routinely is) abused. Another example is the industry’s refusal to address the longstanding flaws in Signaling System 7 (SS7, or Common Channel Signaling System 7 in the US), a series of protocols hackers can exploit to track user location, dodge encryption, and even record private conversations.

Now this week, a wireless industry middleman that handles billions of texts every year has acknowledged its security isn’t much to write home about either. A company by the name of Syniverse revealed that it was the target of a major attack in a September SEC filing, first noted by Motherboard. The filing reveals that an “individual or organization” gained unauthorized access to the company’s databases “on several occasions.” That in turn provided the intruder repeated access to the company’s Electronic Data Transfer (EDT) environment compromising 235 of its corporate telecom clients.

The scope of the potentially revealed data is, well, massive:

“Syniverse repeatedly declined to answer specific questions from Motherboard about the scale of the breach and what specific data was affected, but according to a person who works at a telephone carrier, whoever hacked Syniverse could have had access to metadata such as length and cost, caller and receiver’s numbers, the location of the parties in the call, as well as the content of SMS text messages.”

Amazingly enough the hack began in 2016 but was only discovered this year. How much data was accessed? Why did it take so long? Was it a Chinese or Russian sponsored attack? Why was there absolutely no transparency about the breach until now? Why aren’t Syniverse or any wireless carriers being clear about what happened? Have government officials been compromised? Have those officials been notified by anybody? Good questions!:

“The information flowing through Syniverse?s systems is espionage gold,” Sen. Ron Wyden told Motherboard in an emailed statement. “That this breach went undiscovered for five years raises serious questions about Syniverse?s cybersecurity practices. The FCC needs to get to the bottom of what happened, determine whether Syniverse’s cybersecurity practices were negligent, identify whether Syniverse’s competitors have experienced similar breaches, and then set mandatory cybersecurity standards for this industry.”

Between this and the SS7 flaw alone you have to inherently assume that most global wireless communications has been significantly compromised for a long while in some fashion. And like most hacks, the scale of this will only get worse as time goes by. Security and privacy at massive international scale isn’t easy, but these kinds of repeated scandals don’t have to happen. They’re made immeasurably worse by our lack of even a basic internet-era privacy law, intentionally underfunded and understaffed U.S. privacy regulators, and our failure to hold companies accountable in any meaningful way for repeated and massive screw ups. Mostly because doing any of these things might put a dent in quarterly revenues.

Filed Under: data breach, hack, privacy, security, ss7, text messages
Companies: syniverse

from the here-we-go-again dept

Thu, Aug 19th 2021 06:30am - Karl Bode

Earlier this week reports emerged that T-Mobile was investigating a massive hack of the company’s internal systems, resulting in hackers gaining access to a massive trove of consumer information they were selling access to in underground forums. Initial estimates were that the personal details of 100 million customers had been accessed (aka all T-Mobile customers). After maintaining radio silence as it investigated the hack, T-Mobile has since released a statement detailing the scale of the intrusion. In short, it was smaller than initial claims, but still massive and terrible:

“Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts? information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.”

While T-Mobile notes that none of the PINS used by former or prospective postpaid (billed regularly month to month) customers were accessed, T-Mobile does note that 850,000 active T-Mobile prepaid customers had their names, phone numbers and account PINs exposed. Many others had their social security numbers, drivers license/ID information, and other data exposed:

“Some of the data accessed did include customers? first and last names, date of birth, SSN, and driver?s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.”

While it’s understood why T-Mobile would collect some of this data during a credit check, it’s not clear exactly why it needed to keep this data after the credit check is complete. This, again, is the kind of stuff you could tackle with a basic US privacy law with meaningful penalties for companies that keep getting hacked. For T-Mobile customers I think this is maybe the fifth or sixth time the company has been hacked since 2018. You have to think clear, basic, and consistently enforced federal guidelines and penalties would incentivize companies to not over-collect data and properly secure their systems.

Instead we stand around, shrug, complain that it’s impossible or too hard to have competent governance on this subject, and nothing changes. And when consumers then get hacked (again), the best they get are platitudes like “free credit reporting,” which prove utterly useless given they’ve received “free credit reporting” the last 75 times their data wasn’t properly secured.

It’s not clear how many of these kinds of repeated scandals we need to see before the federal government crafts some basic, competent guard rails, but it’s abundantly clear that, thanks to a broad cross-industry coalition of lobbyists with near-unlimited budgets, it’s not going to be anytime soon.

Filed Under: data breach, drivers licenses, hack, social security numbers
Companies: t-mobile