T-Mobile Hack: You Should Be Concerned Even If You’re Not a Customer

You’ve likely heard that T-Mobile was hacked causing a massive data breach in August 2021.  In this data breach involving 50 million records, even those who aren’t currently T-Mobile customers have been affected. How’s that even possible, you wonder? Read on…hold on to your hat. The sole hacker who pulled off the job said this about T-Mobile’s network: “Their security is awful.”  T-Mobile is the second-largest wireless carrier in the U.S. Companies are the last ones to find out they’ve been breached. T-Mobile only found out about the data breach when an outside security company told them that someone was selling T-Mobile customer data on the internet. T-MOBILE DATA BREACH Most of the people 50 million accounts affected by the hack were not current customers, as mentioned above. That’s quite alarming if you think about it. But unfortunately, we don’t know what these companies are doing. And as it turns out, many of them don’t know what they’re doing either. T-Mobile has been hacked three times in two years! Maybe you’re thinking, “I don’t need to worry because I’m not a T-Mobile customer.” Okay, don’t worry. Instead, take a few steps (on all your accounts) to help protect yourself before they do get hacked—or you might be doing this afterward. This time, the data breach of a major company wasn’t done by a team of experts. One 21-year-old, an American-born man living in Turkey, seems to have pulled off the hack pretty much by himself. The young hacker has even been bold enough to tell the Wall Street Journal his name and explain why he did it—to gain attention. “Generating noise was one goal,” he said. A common trait among hackers is that they don’t seem to care about anything but glory, attention, and fame amongst their peers. This same person is known to have created a huge network of secretly hacked devices that was used to launch cyberattacks. Most likely, the people who owned the hacked devices had no clue. Well, the hacker succeeded at achieving his goal (in his eyes and world). Unfortunately, his success is nothing but bad news for T-Mobile and its customers and others. He got away with stealing confidential (and supposedly protected) information about T-Mobile customers, including Social Security numbers, driver’s license numbers and dates of birth. Information that could be sold for nefarious reasons include identity theft. Evidently, according to the Wall Street Journal, the hacker found a T-Mobile router that was unprotected and exposed on the internet. He discovered it, he told the WSJ, while he “was scanning T-Mobile’s known IP addresses, looking for weak spots.” He did that by using a digital tool that’s easy to acquire online. He was actually just as surprised as we are now, “I was panicking because I had access to something big”, he admitted. Hackers: they don’t care about anything except glory, attention, and fame amongst their peers. It’s not going well for companies. Even though the cybersecurity industry is booming–with cybersecurity consultants, software suppliers and incident response teams growing like crazy–cybercrooks seem always to stay one step ahead. But it doesn’t help when companies make it easy for hackers to find ways into their networks. If that seems too harsh, you can say companies aren’t making it hard enough—or even impossible—for hackers to get into their networks. The breach even sparked an inquiry by the Federal Communication Commission (FCC), the first of its kind, as the current U.S. Administration has said they’re going to be examining companies’ security and privacy. They’re on a mission to ensure that U.S. companies start strengthening their cyber defenses. “Telecommunications companies have a duty to protect their customers’ information.” But guess what? According to the Wall Street Journal, the guidelines from the FCC are pretty much voluntary. They’re more or less, at this point, just suggestions of best cybersecurity practices for companies. The good news about the hack, is that it didn’t disrupt service to customers. The bad news is that hackers hit paydirt when it comes to finding customer information to steal. As mentioned previously, the hacker stole Social Security numbers and driver license numbers of 50 million people. And as mentioned before, the stolen data wasn’t mostly from current customers. Supposedly, most of it came from past customers, as well as prospective customers. Prospective customers are people who may have applied for a T-Mobile account, but has not been established yet. If you think that doesn’t data-handling practice sound right, you’re in good company. There are cybersecurity legal firms who think it’s wrong, too. The head of one legal group said, “why were they keeping sensitive information for these people…who didn’t even sign an agreement with T-Mobile?” Part of the issue is that large companies like having large databases as information. To them your Social Security number, driver license number, date of birth, etc., are simply “data”—information about people that’s handy to have for analyzing, strategizing, marketing and more. They like playing with it. With all at stake, you’d think they’d protect it better. Especially because, ultimately, it’s YOUR data, not their data. In late August, President Joe Biden hosted the top executives from tech giants Apple, Google, Amazon and Microsoft, as well as financial executives, to discuss the need to boost cybersecurity. There have been enough data breaches and hacks of large companies already this year to get everyone worried. The current administration has named cyber-attacks as one of the largest and most dangerous security threats to the country. The President said, “The federal government can’t meet this challenge alone,” adding that corporations “have the power, the capacity, and the responsibility…to raise the bar on cybersecurity. “The companies attending the event pledged to put millions of dollars into research, innovations, education and training. But you have to wonder: With all the hacks and attacks that have happening and making big headlines, why hasn’t anyone done anything sooner? The sad reality is, until companies and agencies are extremely serious about combating the relentless assaults by hackers, there will always be another story about a significant data breach. Of course, T-Mobile was caught off-guard and had to scramble to patch things up. Here’s what T-Mobile said to “reassure” the public right after they were informed of the attack by an outside party. “We are confident that we have closed off access and egress points the bad actor used in the attack.“ It would seem hard to have confidence in them after they just got hacked for the third time in two years. A few weeks after that, they admitted their failure. “We didn’t live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts ever.” At the same time, they announced new partnerships with cybersecurity firms to shore up their defenses. Data breaches happen by the thousands each year. Use our free Data Breach Check tool to find out if you have other accounts that may have been affected by past data breaches—and what to do about it. Sources: Wall Street Journal: August 20, 26, 27, 2021; T-Mobile.com.