T-Mobile Confirms Major Hack, Social Security Numbers And Drivers License Data Exposed
from the here-we-go-again dept
Earlier this week reports emerged that T-Mobile was investigating a massive hack of the company’s internal systems, resulting in hackers gaining access to a massive trove of consumer information they were selling access to in underground forums. Initial estimates were that the personal details of 100 million customers had been accessed (aka all T-Mobile customers). After maintaining radio silence as it investigated the hack, T-Mobile has since released a statement detailing the scale of the intrusion. In short, it was smaller than initial claims, but still massive and terrible:
“Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts? information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.”
While T-Mobile notes that none of the PINS used by former or prospective postpaid (billed regularly month to month) customers were accessed, T-Mobile does note that 850,000 active T-Mobile prepaid customers had their names, phone numbers and account PINs exposed. Many others had their social security numbers, drivers license/ID information, and other data exposed:
“Some of the data accessed did include customers? first and last names, date of birth, SSN, and driver?s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.”
While it’s understood why T-Mobile would collect some of this data during a credit check, it’s not clear exactly why it needed to keep this data after the credit check is complete. This, again, is the kind of stuff you could tackle with a basic US privacy law with meaningful penalties for companies that keep getting hacked. For T-Mobile customers I think this is maybe the fifth or sixth time the company has been hacked since 2018. You have to think clear, basic, and consistently enforced federal guidelines and penalties would incentivize companies to not over-collect data and properly secure their systems.
Instead we stand around, shrug, complain that it’s impossible or too hard to have competent governance on this subject, and nothing changes. And when consumers then get hacked (again), the best they get are platitudes like “free credit reporting,” which prove utterly useless given they’ve received “free credit reporting” the last 75 times their data wasn’t properly secured.
It’s not clear how many of these kinds of repeated scandals we need to see before the federal government crafts some basic, competent guard rails, but it’s abundantly clear that, thanks to a broad cross-industry coalition of lobbyists with near-unlimited budgets, it’s not going to be anytime soon.