IOTW: T-Mobile under investigation following fourth data infringement in three years

Telecoms giant T-Mobile has finally addressed the financial and reputational impact of the malicious attack it suffered on August 16, with the company’s CEO Peter Osvaldik presenting at Bank of America’s Media, Communications, and Entertainment conference on September 14.

“We definitely saw some temporary customer cautiousness as you would expect, both in terms of gross adds, as well as churn immediately following that breach,” he explained. “Now that we are a couple weeks past it, we have seen consumers have moved past it, and our flows are beginning to normalize. At the end of the day, despite all of this, we remain confident in delivering our full-year results.”

While the immediate-term, blatant customer losses (and lack of customer gains) may have slowed, T-Mobile, America’s third-largest US internet provider, still has a massive uphill skirmish on its hands, including an open investigation by the Massachusetts state District Attorney’s office, as well as some 23 private lawsuits.

The facts

A hacker infiltrated the comms company’s systems, gleaning the names, dates of birth, social security numbers, driver's license information, PINs, and other data belonging to an estimated 50 mn current, former, and prospective T-Mobile customers. This includes those who have simply applied for a contract, as well as large and small business clients.

The truly embarrassing thing for T-Mobile is that its security team failed to spot the intrusion and was only alerted to it because the attacker was attempting to sell the data online. That means the hacker was able to enter the company’s systems, garner the data, and exfiltrate it without detection.

Lessons learned

According to the Wall Street Journal (not yet confirmed by other sources), John Binns, a US-born hacker operating from his mother’s home in Turkey, says that he and his “accomplices” had been looking for vulnerabilities in T-Mobile’s security for a while, and was surprised when he finally compromised the company’s system via an unprotected router.

While, according to the WSJ article, his motivations were political and could possibly constitute a cyber terrorism attack, motivations are irrelevant when an organization as large as T-Mobile is so vulnerable – this is the fourth data breach the company has suffered in three years.

While the company claims it has notified every customer who may have been affected, Inc. tech columnist Jason Aten – a T-Mobile customer in the US who may have been impacted – says he has yet to receive any communication from the company.

From a PR perspective, it seems this is one of the worst attacks we have seen in years, and despite Osvaldik’s claims that finances are back on track, the reputational damage – and follow-on financial repercussions – will not be fully assessable until the end of this year, at least.

Quick tips

It can be tough to give sincere pointers on how to improve cyber security when, frankly, an organization’s vulnerabilities seem so blatant. T-Mobile is now offering affected customers a free two-year subscription to McAfee’s ID protection service, working with security experts Mandiant and with auditory consultants KPMG to hopefully avoid future incidents.

But with the company’s history of poor security, the only tips at this point are to adopt a fully zero-trust security policy, tighten up rigorously at every entry point, and hope for the best.