In an email overnight, T-Mobile shared details about the data breach it confirmed Monday afternoon. These are not very good. There was data breached from 48 million users. While that is less than 100 million as the hacker initially claimed, it still means that nearly all of the affected are not current T-Mobile customers.
T-Mobile claims that 40 million of those whose data was compromised were former customers or potential customers, who applied for credit through the carrier. 8.8 million of these are “postpaid” current customers. This simply means that T-Mobile customers get billed each month at the end. These 48 million people had their names and social security numbers stolen. Additional 850,000 customers who paid in advance for their accounts – their names, numbers and PINs were also exposed. This investigation continues, so it is possible that more customers will be exposed.
The breach did not result in any good news, however, the majority of affected customers aren’t likely to have their financial data, phone numbers or account numbers stolen. T-Mobile’s decision to keep such sensitive data from the 40 million individuals with whom it does not currently have a business is a bigger question. If the company were going to store that data why didn’t it take greater precautions?
“Generally speaking, it’s still the Wild West in the United States when it comes to the types of information companies can keep about us,” says Amy Keller, a partner at the law firm DiCello Levitt Gutzler who led the class action lawsuit against Equifax after the credit bureau’s 2017 breach. “I am surprised, but I also don’t find it surprising. You could also say that I am frustrated.
Data minimization is a practice advocated by privacy advocates that allows companies to keep as much information as possible. Europe’s General Data Protection Regulation codifies the practice, requiring that personal data be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” The US currently has no equivalent on the books. “Privacy laws in the United States that do touch upon data minimization generally don’t require it,” Keller says, “and instead recommend it as a best practice.”
Until and unless the US adopts an omnibus privacy law similar to the GDPR–or state-level legislation like the California Consumer Privacy Act starts taking a harder line–data minimization will remain a foreign concept. David Opderbeck, codirector of Seton Hall University’s Institute of Law, Science and Technology, said that collecting and keeping sensitive information of potential and past customers does not constitute consumer fraud. This is common practice. T-Mobile can keep records of millions of individuals, even though it might seem unprofessional. It will continue to do so for as long and as they like.
These former customers and potential customers are now victims of data breaches that they did not control. John LaCour (founder and chief technology officer of PhishLabs, a digital risk protection firm) says that identity theft is the first threat. The information comprises names, social security numbers and driver’s licence IDs. This information is required in order to obtain credit for someone.
The hack would also potentially make it easier to pull off so-called SIM swap attacks, LaCour says, particularly against the prepaid customers who had their PINs and phone numbers exposed. A SIM swap is when a hacker port your number to their device. This allows them to intercept SMS-based 2-factor authentication codes and make it more difficult to access your online accounts. WIRED reached out to T-Mobile to inquire if International Mobile Equipment Identity numbers had been compromised. Each mobile phone has an unique IMEI, which would be valuable to SIM-swappers.
T-Mobile took a number of precautions for victims. T-Mobile is offering McAfee ID Theft Protection Service for two years. It has also reset the PINs on 850,000 of its prepaid customers that had theirs stolen. The company is recommending, but not obligating, that current postpaid customers also change their PINs. It offers a service called Account Takeover protection to stop SIM-swap attacks. The company also announced plans to create a website for “one-stop information”, although it did not say whether they would provide any type of search to determine if anyone was affected by the breach.
T-Mobile instead says that it will use proactive outreach to victims. WIRED reached out to T-Mobile for details about its communication plans and the information it will share with those whose personal data has been compromised. The carrier did not respond. LaCour states that even sharing a simple timetable could help people know that they are safe, regardless of whether they have been T-Mobile customers for less than a year.
If you are a T-Mobile customer, you may change your password and PIN online. Although it is not clear yet how ID monitoring will actually work, you should sign up for the two-year free ID monitoring. You should start using app-based two-factor authentication wherever possible, rather than receiving those codes by text. You can also contact three credit bureaus to request a freeze of your credit report. This will prevent anyone accessing your credit reports or opening any new accounts.
Opderbeck, a Seton Hall researcher, said that the US does not have a comprehensive cybersecurity law and agencies such as the Federal Communications Commission or Federal Trade Commission are limited in their ability to exert pressure. T-Mobile would most likely face class-action lawsuits if it is subject to repercussions from the sixth breach in as many years. Opderbeck claims that he has seen more than 30 data breach settlements over the years, which resulted both in small cash payments and credit monitoring. Keller also points out that it may prove difficult to pursue a class action because T-Mobile has a clause that allows customers to be forced into arbitration.
It’s not realistic to expect every company to stop every breach, especially when those companies posses data highly valuable to hackers. It is possible to expect that businesses in this position will take all reasonable precautions to minimize the damage from those breaches. It seems reckless to keep detailed records about more than 40,000,000 former customers or potential customers, including their driver’s licence information. It is impossible to steal information that’s not there.
- The latest on tech, science, and more: Get our newsletters!
- A people’s history of Black Twitter
- Why even the fastest human can’t outrun your house cat
- Phantom warships are courting chaos in conflict zones
- This new way to train AI could curb online harassment
- How to build a solar-powered oven
- Explore AI like never before with our new database
- WIRED Games: Get the latest tips, reviews, and more
- Do you want the best health tools? Our Gear team has compiled a list of the top running and fitness gear, including shoes and socks.
Publiated at Wed 18 August 2021, 19:40:22 (+0000).