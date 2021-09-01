Hacker Taunts T-Mobile, Calls Its Security 'Awful'
from the fool-me-once dept
It's historically always been true that however bad a hack scandal is when initially announced, you can be pretty well assured that it's significantly worse than was actually reported. That's certainly been true of the recent T-Mobile hack, which exposed the personal details (including social security numbers) of more than 53 million T-Mobile customers (and counting). It's the fifth time the company has been involved in a hack or leak in just the last few years, forcing the company's new(ish) CEO Mike Sievert to issue yet another apology for the company's failures last Friday:
Our investigation into the cybersecurity attack against @Tmobile & our customers is substantially complete. We didn’t live up to the expectations we have of ourselves to protect customer data. Here's how we're taking our security efforts to the next level.
— Mike Sievert (@MikeSievert) August 27, 2021
The extra apology didn't come unprompted. It came after the hacker involved in the data breach conducted an interview with the Wall Street Journal (paywalled, here's an open alternative) in which he explained T-Mobile's overall consumer privacy and security protections as "awful":
Binns gained access to the servers after discovering an unprotected router by scanning T-Mobile's internet address for weak spots, The Journal reported. Over 53 million people had personal information compromised in the hack such as names, addresses, dates of births, phone numbers, Social Security numbers, and driver's license information."
In short he didn't so much as "hack" T-Mobile as he walked straight through an open door. Customers say they didn't know about the breach until the media did, prompting them to wonder why, if privacy and security is such a priority for a company like T-Mobile, they had to learn about the incident from somebody else:
"It just frustrates me, honestly," Richards said. "If our data is a priority for you guys to keep safe, how come I haven't gotten a notification or anything like that?"
Of course T-Mobile, like countless other American companies, isn't incentivized to actually secure user data because we don't have a meaningful privacy law for the internet-era. In most cases, the most companies like this see are a week of bad headlines and a few regulatory wrist slaps -- assuming U.S. regulators have the time or resources to pursue any kind of meaningful investigation at all. Without meaningful oversight and penalties the impact on consumers is often little more than an afterthought, and the most they get is another round of "free credit reporting" -- something they've already obtained from the last seven times their personal information wasn't properly secured.
Then of course there's the relentless "growth for growth's sake" mindset in telecom and other sectors that results in a near-mindless obsession with consolidation (often at the cost of anything else). T-Mobile has spent much of the last five years kissing Donald Trump's ass to gain regulatory approval for its job and competition eroding merger with Sprint. How much of the time spent pursuing their heavily criticized megadeal (and the follow up network integration) could have gone toward actually securing the company's servers, routers, and overall network?
Filed Under: data breach, hackers, leak, mike sievert, security
Companies: t-mobile
Its to late for excuses.
How many years will it take for people to Stop and FIX things like Servers and access to the net?
This has been going on to long to be an excuse. These folks are Supposed to be top of the line support and building of our infrastructure. ISP, Phone, Cell phone, Internet, Cable and sat TV. WTF is going on.
Did everyone goto basic Windows as a server, NOT the server version that Charges you a yearly fee? How many Pentium 5 systems are being used for internet servers? They could be using a Dos based system, and it would work better, as you Really dont need the graphics on a server, Windows NT would fit the bill and be safer then what is happening.
Forget all that, GO BACK TO LINUX/UNIX based systems. As one person mentions, its a pain to get setup, but there is a TON more security you can build into it.
(still would like to know what server prog All these break-in's happened to)
I know! its an automated Admin/sysop. And no one pays attention to it as 'The computer did it'.
These companies need to work to protect customer data as hard as they work to keep the CEO's personal cell phone number from their own customers.
Re:
'Any database of user information must include the same amount and type of personal information relating to the CEO and other executives of the company, secured no more and no less than other user information', pass a regulation like that and you could watch in real time as companies switch from indifference to suddenly showing a very real interest in proper security no matter how it might ding their quarterly profits.
Probably not legal or constitutional but is is a pleasant thought at least as it would certainly solve the problem.
'Any security at all is a huge hurdle here at T-Mobile...'
T-Mobile: We didn’t live up to the expectations we have of ourselves to protect customer data.
Hacker: Yeah I basically just walked through the digital equivalent of an unlocked 'employees only' door that was propped open and had the key sitting on a rock next to it just in case.
If they didn't live up to their own expectations and their security was that bad how low were their expectations and how sad/horrifying is it that they still failed to meet them?
