T-Mobile Hacked For The Eighth Time In Five Years
T-Mobile hasn’t been what you’d call competent when it comes to protecting its customers’ data. The company has now been hacked numerous times just since 2018, with hackers at one point going so far as to publicly ridicule the company’s lousy security practices.
Case in point: T-Mobile just revealed in an SEC filing (spotted by TechCrunch) that the company was just hacked for the eighth time in five years. This time impacting the privacy and security of 37 million T-Mobile subscribers.
According to T-Mobile, starting in late November a “bad actor” managed to obtain the personal data (including names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers and information such as “the number of lines on the account and plan features.”) As is usually the case with such breaches, T-Mobile issued a statement trying to downplay it:
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network.”
The intruder abused an API and didn’t directly access T-Mobile’s systems. But such statements are generally worthless, as the scope of such breaches usually tend to grow in scale as investigators dig deeper. An intrusion found in the fall can be the launchpad for a worse intrusion in the spring.
As with so many modern companies, T-Mobile over-collects data, then doesn’t take the necessary steps to protect said data. It then lobbies U.S. lawmakers to ensure we don’t shore up U.S. privacy protections (as it did when Congress gutted the FCC’s fairly modest broadband privacy rules, or when it lobbies to kill federal reform), and the cycle repeats itself in perpetuity.
T-Mobile has a bit of a history of being sloppy with the vast location data it collects on users, then fighting tooth and nail against whatever slapdash accountability U.S. regulators can feebly muster. T-Mobile recently dramatically expanded the company’s collection of user browsing and app usage data via a new program dubbed “app insights.”
We’ve built a reality where nobody consistently holds giant companies accountable for lax privacy and security standards. As a result, said companies see little meaningful incentive to improve, given they now view modest and pathetic fines levied by feckless U.S. regulators (who, by design, lack the resources to tackle privacy issues at any real scale) as a reasonable cost of doing business.
I… i… i am starting to think they in fact do NOT take our privacy seriously.
That they know of, as it looking like intruders gain entry faster then T-Mobile can detect and remove them. A later intrusion could hide an earlier one using the same tools, or simply take over the work an a competitor.
Guess they have their new ad campaign.
At T-Mobile, your bill will never go up, and your data will always leak.
Re: From: billing
Of course you bill has gone up – how else do you expect us to pay any fines?
(Not that we’ll get any of any significance, but collecting the cash from you just in case. We can always find a use for spare cash)
"fully contained"
As in, “already for sale on the dark web.”
This is the company that needs to start getting banned from schools. The network is a bigger data threat than TikTok
'You better not hit nine or I will wag my finger something fierce!'
Eight hacks in fives years, eight times customer data that they were collecting because it’s profitable was available to whoever spotted the latest hole in their slap-dash security, with a wrist slap at worst every time because it would be just terrible to tell a company not to collect customer data to use and profit from.
Meanwhile five feet off to the side you’ve got politicians hyperventilating about how vital it is to block or force the sale of TikTok and shocked and appalled that anyone would ever think they’re not arguing in good faith when they assert that their motivations to spike the company are rooted in their deep and overwhelming concern for user privacy and data collection and nothing else.
That makes two-factor authentication worthless too.
