from the fool-me-once dept
It’s historically always been true that however bad a hack scandal is when initially announced, you can be pretty well assured that it’s significantly worse than was actually reported. That’s certainly been true of the recent T-Mobile hack, which exposed the personal details (including social security numbers) of more than 53 million T-Mobile customers (and counting). It’s the fifth time the company has been involved in a hack or leak in just the last few years, forcing the company’s new(ish) CEO Mike Sievert to issue yet another apology for the company’s failures last Friday:
Our investigation into the cybersecurity attack against @Tmobile & our customers is substantially complete. We didn?t live up to the expectations we have of ourselves to protect customer data. Here's how we're taking our security efforts to the next level.
— Mike Sievert (@MikeSievert) August 27, 2021
The extra apology didn’t come unprompted. It came after the hacker involved in the data breach conducted an interview with the Wall Street Journal (paywalled, here’s an open alternative) in which he explained T-Mobile’s overall consumer privacy and security protections as “awful”:
Binns gained access to the servers after discovering an unprotected router by scanning T-Mobile’s internet address for weak spots, The Journal reported. Over 53 million people had personal information compromised in the hack such as names, addresses, dates of births, phone numbers, Social Security numbers, and driver’s license information.”
In short he didn’t so much as “hack” T-Mobile as he walked straight through an open door. Customers say they didn’t know about the breach until the media did, prompting them to wonder why, if privacy and security is such a priority for a company like T-Mobile, they had to learn about the incident from somebody else:
“It just frustrates me, honestly,” Richards said. “If our data is a priority for you guys to keep safe, how come I haven’t gotten a notification or anything like that?”
Of course T-Mobile, like countless other American companies, isn’t incentivized to actually secure user data because we don’t have a meaningful privacy law for the internet-era. In most cases, the most companies like this see are a week of bad headlines and a few regulatory wrist slaps — assuming U.S. regulators have the time or resources to pursue any kind of meaningful investigation at all. Without meaningful oversight and penalties the impact on consumers is often little more than an afterthought, and the most they get is another round of “free credit reporting” — something they’ve already obtained from the last seven times their personal information wasn’t properly secured.
Then of course there’s the relentless “growth for growth’s sake” mindset in telecom and other sectors that results in a near-mindless obsession with consolidation (often at the cost of anything else). T-Mobile has spent much of the last five years kissing Donald Trump’s ass to gain regulatory approval for its job and competition eroding merger with Sprint. How much of the time spent pursuing their heavily criticized megadeal (and the follow up network integration) could have gone toward actually securing the company’s servers, routers, and overall network?