A Week in Telco IT: T-Mobile 2mn user security breach shows comms sector has learned little

T-Mobile was hacked this week and the resulting data breach is depressingly familiar. One security expert believes it points to a “systemic malaise” in the communications industry. Jeremy Cowan reports on a return of old failures.

(Also see: TalkTalk hit by cyber attack, and What can telcos learn from TalkTalk’s recent data security breach? – Part 2, and As Samsung and Swann IoT apps breached, when will we confront our security flaws?)

As Charl van der Walt, chief security strategy officer, SecureData tells VanillaPlus, “The breach at T-Mobile looks depressingly familiar. Whilst the quality of the data lost is limited, and whilst the business appears to be doing a good job of handling and messaging the incident, the fact is that the name, billing zip code, phone number, email address, account number and account type of up to 2 million T-Mobile customers is now irretrievably ‘out there’ and subject to abuse for phishing, account take-over, spam, identify theft and other forms of fraud. Those people have been violated and there’s no way to make it right.

“No doubt the causes of this breach will be scrutinised in minute detail,” van der Walt adds, “to determine whether, how and to what extent T-Mobile is responsible for this loss, and regulatory fines, SEC penalties and civil law suits may all follow. But none of this is likely to change the fundamental fact that billions of these kinds of records are being leaked to the internet at a growing rate with all the implications for privacy, digital security and person safety that that brings.”

(Also see the angry response in 2015 from T-Mobile USA’s CEO, John Legere (pictured right), to a data security failure at Experian that exposed T-Mobile customers’ data: Letter to customers. T-Mobile’s CEO on Experian’s Data Breach.)

‘Systemic malaise’ in comms sector

“What interests me about this incident is that it illuminates a systemic malaise that is starting to impact society at a fundamental level, as the recent Facebook / Cambridge Analytica incident illustrates. It’s not clear what can still be done about this at this late stage. Pandora’s box has been opened, the evil is out, and there’s not much we can do to put it back.”

SecureData’s van der Walt concludes: “Addressing the problem of personal data leaks will take years or decades even and will require political will and deep commitment from business, government, and the security industry.”

Commenting on this data leakage, the senior principal consultant at Synopsys, Amit Sethi (pictured above) tells VanillaPlus, “We don’t yet know exactly what happened and when. However, we do know what the potential impact of this type of breach can be. Hackers stole customer names, ZIP codes, phone numbers, email addresses, account numbers and account types.

“This information can potentially be used in targeted attacks where attackers can impersonate customers to T-Mobile’s customer service representatives.” Sethi adds, “Attackers may also be able to impersonate the customers to other wireless carriers and attempt to port the numbers in order to hijack the phone numbers. People who are impacted should ensure that they have set up a PIN with T-Mobile that they use to authenticate to customer service representatives, and that is required to port their phone numbers to another carrier.”

The author of this article is
Jeremy Cowan (pictured left),
editorial director of IoT Now
and VanillaPlus.

Comment on this article below or via Twitter: @VanillaPlus OR @jcvplus