In an email overnight, T-Mobile shared details about the confirmed data breach Monday afternoon. They are not great. Data of more than 48 million people has been compromised, and although this is less than the 100 million initially announced by the hacker, the vast majority of those affected turn out not to be current T customers at all. -Mobile.
Instead, T-Mobile claims that among those whose data has been compromised, more than 40 million are former or potential customers who had applied for credit from the operator. An additional 7.8 million are current “postpaid” customers, which simply means T-Mobile customers who are billed at the end of each month. These roughly 48 million users have had their full names, dates of birth, social security numbers and driver’s license information stolen. 850,000 additional prepaid customers, who fund their accounts in advance, had their names, phone numbers and PINs exposed. The investigation is ongoing, which means the tally may not end there.
There is no good news here, but the slightly less bad news is that the vast majority of customers do not appear to have had their phone numbers, account numbers, PINs, passwords, or financial information taken on the job. the violation. The bigger question, however, is whether T-Mobile really needed to hold onto such sensitive information from the 40 million people it doesn’t currently do business with. Or if the company was going to store this data, why didn’t it take better precautions to protect it.
“Overall, it’s still the Wild West in the United States when it comes to the types of information businesses can keep about us,” says Amy Keller, partner at the law firm DiCello Levitt Gutzler who led the class action lawsuit against Equifax after the 2017 credit bureau violation. “I’m surprised and I’m not surprised either. I guess you could tell I’m frustrated.
Privacy advocates have long promoted the concept of data minimization, a fairly self-explanatory practice that encourages businesses to retain as little information as necessary. Europe General Data Protection Regulation codifies the practice, requiring that personal data be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. The United States currently has no equivalent on the books. “United States Privacy Laws that touch on data minimization generally don’t require it, ”says Keller,“ and instead recommend it as a best practice.
Until the United States passes an omnibus privacy law similar to the GDPR or state-level legislation like the California Consumer Privacy Act is starting to take a harder line – data minimization will remain an alien concept. “In general, the collection and retention of sensitive data from prospective and former customers does not constitute an act of consumer fraud under US law and is routine,” says David Opderbeck, Co-Director of the Institute of Law, of Science and Technology from Seton Hall University. As inappropriate as it may seem for T-Mobile to keep detailed records of millions of people who may never have been their customers, there’s nothing stopping them from doing so, for as long as they want.
Today, these past and prospective customers, along with millions of current T-Mobile subscribers, find themselves victims of a data breach over which they had no control. “The first risk is identity theft,” says John LaCour, founder and CTO of digital risk protection company PhishLabs. “The information includes names, social security numbers, driver’s license identifiers: all the information that would be needed to apply for credit as a person. “
The hack would also potentially facilitate the removal of so-called SIM swap attacksLaCour says, especially against prepaid customers whose PINs and phone numbers have been exposed. During a SIM swap, a hacker transfers your number to their own device, usually so they can intercept SMS-based two-factor authentication codes, making it easier to access your online accounts. . T-Mobile did not respond to a request from WIRED as to whether international mobile equipment identity numbers were also involved in the breach; each mobile device has a unique IMEI which would also be valuable for SIM card exchangers.
T-Mobile has implemented some precautions in favor of victims; It offers two years of identity protection services from McAfee’s Identity Theft Protection service and has already reset the PIN codes of the 850,000 prepaid customers who have seen their presentations. It recommends but does not require all current postpaid customers to change their PIN as well, and offers a service called Account Takeover Protection to help thwart SIM swap attacks. It also plans to publish a site for “one-stop-shop information” on Wednesday, although the company did not say whether it would offer any type of search to see if you are affected by the breach.