Acquisition and merger news in the communications sector has continued to emerge this month, as has T-Mobile’s latest data breach. Business technology journalist, Antony Savvas says business ownership and data security should now be judged together by increasingly active industry regulators.
Acquisition scrutiny
The proposed US$61 billion (€55.6 billion) acquisition of VMware by Broadcom has been slowed further by the detailed investigations of the UK Competition and Markets Authority and the European Commission, with regulators in the US, and even China, widely expected to take a closer look too.
In Spain, the €18.6 billion Orange and MasMovil merger is already under scrutiny by regulators, as will the soon-to-be-confirmed £15 billion (€17.2 billion) merger of Vodafone and Three in the UK.
But in all these cases, and others, maybe the regulators should also be looking under the hood regarding these proposed larger companies’ data security plans going forward?
Deutsche Telekom recently trumpeted the fact it had gained majority control of T-Mobile US. “We have the majority and are the largest shareholder of the world’s most valuable telecommunications company, T-Mobile US,” beamed Deutsche Telekom CEO, Tim Hottges.
The value of T-Mobile has steadily increased over recent years, and was already a very profitable cash cow for Deutsche Telekom when holding a minority stake in the firm. It now holds just over 50%.
Pathetic
Understandably, however, Hottges didn’t dwell too much on the data security performance of his new majority-owned asset, as it is pathetic. Which is rather ironic, considering the German market overall is one of the most demanding when it comes to data security and data privacy.
Earlier this year, T-Mobile, which has more than 100 million customers, admitted it had suffered a data breach that had impacted 37 million current customers between November 2022 and January 2023.
The company also had a major breach in 2021 affecting 49 million customers, two breaches in 2020, one in 2019, and another in 2018.
Promises not enough
For the 2021 breach, in July 2022, T-Mobile agreed to settle a class action suit in relation to it, that included $350 million (€319 million) being awarded to customers. The company also committed to a two-year, $150 million (€137 million) strategy to improve its digital security and data defences.
The promises clearly haven’t been enough though, as the telco has just reported another breach affecting over 800,000 customers.
“In this latest incident, the attackers managed to remain hidden for months, so it’s likely that after gaining access to T-Mobile’s network, the attackers were moving slowly and laterally to avoid detection,” says Matthew Hamilton, senior SOC (security operations centre) analyst at Adarma, a cyber security services firm.
“It can be hard to spot the small network anomalies that would trigger an intrusion alert, which is why it’s important to have proactive threat hunting as part of a robust cyber security strategy,” he adds.
Math is broken
Chris Handscomb, solutions engineer for EMEA at fellow cyber security firm Centripetal, adds: “This is T-Mobile’s 7th breach in just 5 years. It’s clear that the traditional security processes that organisations like T-Mobile operate under aren’t working.
“No time in history have organisations spent as much money as they’re doing right now on cyber security to prevent cyber threats from happening. And even with all the spending, the only thing that organisations know for sure is that their exposure to cyber risk is only going up and up and up. Clearly, the math is broken,” says Handscomb.
Around the same time as T-Mobile discovered its first hack of the year, the US Federal Communications Commission proposed more stringent data-breach reporting for the telecoms industry.
“The law requires carriers to protect sensitive consumer information but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements,” FCC chair, Jessica Rosenworcel said at the time. “This new proceeding will take a much-needed, fresh look at our data breach reporting rules to better protect consumers, increase security, and reduce the impact of future breaches.”
Regulators really do need to start clamping down on those CSPs (communications service providers) that only pay lip service to the security of their customers’ data. In T-Mobile US’ case, they, and Deutsche Telekom, should be told in no uncertain terms that an eighth major data breach will come with severe consequences.
Cashing in
CSPs can also cash in on the opportunities created by the need for enterprises to protect their customers’ data.
Network service provider Global Cloud Xchange (GCX) has just sealed three partnerships with specialist cyber security consultancies Cambridge Cyber Advisors, Performanta and S-RM.
They will increase the scale and scope of its new Cyber Division in response to “growing demand”, said GCX. GCX launched its Cyber Division last month to offer consultancy and technical support to help organisations respond to increasing network security risks.
And BT and identity security vendor CyberArk have partnered to launch the Managed Identity Privileged Access Management service, built on CyberArk’s Identity Security Platform.
With identity-based cyber attacks on the rise, preventing the compromise of human and machine credentials to protect access to critical data and assets is a priority.
Managed Identity Privileged Access Management is a solution that applies intelligent privilege controls to all identities, human and machine, with continuous threat detection and prevention across the entire identity lifecycle. Organisations can enable zero trust and least privilege rules, ensuring that every approved identity can securely access any resource, located anywhere, from everywhere.
But CSPs like T-Mobile can’t sell such solutions with a straight face, if they can’t even get their own act together!
The author is Antony Savvas, a global freelance business technology journalist.
Comment on this article below or via Twitter: @VanillaPlus OR @jcvplus
