[BreachExchange] T-Mobile data breach: A cautionary tale for all companies

[Destry Winant]

https://www.complianceweek.com/cyber-security/t-mobile-data-breach-a-cautionary-tale-for-all-companies/28568.article

For the second time in a matter of four months, T-Mobile announced it
has suffered a data breach. Cyber-security experts say it’s a
cautionary tale about the vulnerabilities of e-mail accounts that are
not properly secured.

T-Mobile disclosed the latest breach in a recent notice to customers.
“Our cyber-security team recently identified and shut down a malicious
attack against our e-mail vendor that led to unauthorized access to
certain T-Mobile employee e-mail accounts, some of which contained
account information for T-Mobile customers and employees,” the company
stated.

The information accessed may have included customer names and
addresses, phone numbers, account numbers, rate plans and features,
and billing information. Financial information, including credit card
information, and Social Security numbers were not impacted, T-Mobile
said.

“We are not aware of any evidence where the information contained in
the affected e-mail accounts has been used to commit fraud or
otherwise misused,” the company stated. T-Mobile said it immediately
reported the data breach to federal law enforcement and is “actively
cooperating in their investigation.”

This is the second known data breach the mobile carrier has suffered
in recent months. In another notice to customers, issued in November
2019, T-Mobile said its cyber-security team, again, identified and
shut down “malicious, unauthorized access” associated with its prepaid
wireless accounts. In that incident, hackers compromised much of the
same information as that reported in the latest breach, including name
and billing addresses; phone numbers; account numbers; and rate plan
and features.

Following the latest breach, T-Mobile said it is “always working to
enhance security, so we can stay ahead of this type of activity and
protect our customers. We also are reviewing our security policies and
procedures to enhance how we protect these systems.”

Broader industry warning

“It is very concerning that T-Mobile has suffered yet another data
breach,” says Tony Pepper, CEO of software company Egress. “This
should serve as a timely reminder to any company that the handling,
processing, and storing of customer data should be its number one
priority, even when at rest in third-party systems.”

Today, technologies like contextual machine-learning “can make e-mail
safe without railroading productivity, helping to prevent common
breaches like misdirected emails and also ensuring the right level of
encryption is applied to sensitive data,” Pepper says. “In this case
specifically, encryption at rest could have been used to help prevent
hackers accessing the data stored in these e-mail accounts.”

Announcement of the T-Mobile breach comes a week since the Federal
Communications Commission proposed a fine against T-Mobile—along with
the three other largest wireless carriers in the United States—for
allegedly selling access to their customers’ location information
without taking reasonable measures to protect against unauthorized
access to that information.