Hacker Taunts T-Mobile, Calls Its Security 'Awful'

from the fool-me-once dept

It’s historically always been true that however bad a hack scandal is when initially announced, you can be pretty well assured that it’s significantly worse than was actually reported. That’s certainly been true of the recent T-Mobile hack, which exposed the personal details (including social security numbers) of more than 53 million T-Mobile customers (and counting). It’s the fifth time the company has been involved in a hack or leak in just the last few years, forcing the company’s new(ish) CEO Mike Sievert to issue yet another apology for the company’s failures last Friday:

The extra apology didn’t come unprompted. It came after the hacker involved in the data breach conducted an interview with the Wall Street Journal (paywalled, here’s an open alternative) in which he explained T-Mobile’s overall consumer privacy and security protections as “awful”:

Binns gained access to the servers after discovering an unprotected router by scanning T-Mobile’s internet address for weak spots, The Journal reported. Over 53 million people had personal information compromised in the hack such as names, addresses, dates of births, phone numbers, Social Security numbers, and driver’s license information.”

In short he didn’t so much as “hack” T-Mobile as he walked straight through an open door. Customers say they didn’t know about the breach until the media did, prompting them to wonder why, if privacy and security is such a priority for a company like T-Mobile, they had to learn about the incident from somebody else:

“It just frustrates me, honestly,” Richards said. “If our data is a priority for you guys to keep safe, how come I haven’t gotten a notification or anything like that?”

Of course T-Mobile, like countless other American companies, isn’t incentivized to actually secure user data because we don’t have a meaningful privacy law for the internet-era. In most cases, the most companies like this see are a week of bad headlines and a few regulatory wrist slaps — assuming U.S. regulators have the time or resources to pursue any kind of meaningful investigation at all. Without meaningful oversight and penalties the impact on consumers is often little more than an afterthought, and the most they get is another round of “free credit reporting” — something they’ve already obtained from the last seven times their personal information wasn’t properly secured.

Then of course there’s the relentless “growth for growth’s sake” mindset in telecom and other sectors that results in a near-mindless obsession with consolidation (often at the cost of anything else). T-Mobile has spent much of the last five years kissing Donald Trump’s ass to gain regulatory approval for its job and competition eroding merger with Sprint. How much of the time spent pursuing their heavily criticized megadeal (and the follow up network integration) could have gone toward actually securing the company’s servers, routers, and overall network?

Filed Under: , , , ,
Companies: t-mobile

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Hacker Taunts T-Mobile, Calls Its Security 'Awful'”

Subscribe: RSS Leave a comment
35 Comments
ECAsays:

Its to late for excuses.

How many years will it take for people to Stop and FIX things like Servers and access to the net?
This has been going on to long to be an excuse. These folks are Supposed to be top of the line support and building of our infrastructure. ISP, Phone, Cell phone, Internet, Cable and sat TV. WTF is going on.
Did everyone goto basic Windows as a server, NOT the server version that Charges you a yearly fee? How many Pentium 5 systems are being used for internet servers? They could be using a Dos based system, and it would work better, as you Really dont need the graphics on a server, Windows NT would fit the bill and be safer then what is happening.
Forget all that, GO BACK TO LINUX/UNIX based systems. As one person mentions, its a pain to get setup, but there is a TON more security you can build into it.
(still would like to know what server prog All these break-in’s happened to)
I know! its an automated Admin/sysop. And no one pays attention to it as ‘The computer did it’.

ECAsays:

Its to late for excuses.

How many years will it take for people to Stop and FIX things like Servers and access to the net?
This has been going on to long to be an excuse. These folks are Supposed to be top of the line support and building of our infrastructure. ISP, Phone, Cell phone, Internet, Cable and sat TV. WTF is going on.
Did everyone goto basic Windows as a server, NOT the server version that Charges you a yearly fee? How many Pentium 5 systems are being used for internet servers? They could be using a Dos based system, and it would work better, as you Really dont need the graphics on a server, Windows NT would fit the bill and be safer then what is happening.
Forget all that, GO BACK TO LINUX/UNIX based systems. As one person mentions, its a pain to get setup, but there is a TON more security you can build into it.
(still would like to know what server prog All these break-in’s happened to)
I know! its an automated Admin/sysop. And no one pays attention to it as ‘The computer did it’.

That One Guysays:

Re:

‘Any database of user information must include the same amount and type of personal information relating to the CEO and other executives of the company, secured no more and no less than other user information’, pass a regulation like that and you could watch in real time as companies switch from indifference to suddenly showing a very real interest in proper security no matter how it might ding their quarterly profits.

Probably not legal or constitutional but is is a pleasant thought at least as it would certainly solve the problem.

That One Guysays:

'Any security at all is a huge hurdle here at T-Mobile...'

T-Mobile: We didn?t live up to the expectations we have of ourselves to protect customer data.

Hacker: Yeah I basically just walked through the digital equivalent of an unlocked ’employees only’ door that was propped open and had the key sitting on a rock next to it just in case.

If they didn’t live up to their own expectations and their security was that bad how low were their expectations and how sad/horrifying is it that they still failed to meet them?

That One Guysays:

'Any security at all is a huge hurdle here at T-Mobile...'

T-Mobile: We didn’t live up to the expectations we have of ourselves to protect customer data.

Hacker: Yeah I basically just walked through the digital equivalent of an unlocked ’employees only’ door that was propped open and had the key sitting on a rock next to it just in case.

If they didn’t live up to their own expectations and their security was that bad how low were their expectations and how sad/horrifying is it that they still failed to meet them?

Ninjasays:

"In most cases, the most companies like this see are a week of bad headlines and a few regulatory wrist slaps — assuming U.S. regulators have the time or resources to pursue any kind of meaningful investigation at all." <<< this. We have some regulations here that say all customer service must provide records of all interactions upon request of face fines. Of course you only want these records when you run into problems. And of course when it happens they magically "lose" the records. Because the fine is so ridiculously low and without consequences for repeated offenses that it’s worth for them to avoid actually paying for their mistakes.
Other examples? We had two major residue dams rupture in Mariana and Brumadinho here. When Brumadinho happened, the companies had paid virtually nothing in damages so no incentives to fix their security procedures. And to this day they haven’t paid even the bare minimum to relieve the victims and families or to actually make a dent in their revenues. Tic toc when is the next disaster going to happen? It’s a matter of when the nextr breach/disaster will happen, not if. And the govts are in no hurry to hold these bastards accountable.

Ninjasays:

"In most cases, the most companies like this see are a week of bad headlines and a few regulatory wrist slaps — assuming U.S. regulators have the time or resources to pursue any kind of meaningful investigation at all." <<< this. We have some regulations here that say all customer service must provide records of all interactions upon request of face fines. Of course you only want these records when you run into problems. And of course when it happens they magically "lose" the records. Because the fine is so ridiculously low and without consequences for repeated offenses that it’s worth for them to avoid actually paying for their mistakes.
Other examples? We had two major residue dams rupture in Mariana and Brumadinho here. When Brumadinho happened, the companies had paid virtually nothing in damages so no incentives to fix their security procedures. And to this day they haven’t paid even the bare minimum to relieve the victims and families or to actually make a dent in their revenues. Tic toc when is the next disaster going to happen? It’s a matter of when the nextr breach/disaster will happen, not if. And the govts are in no hurry to hold these bastards accountable.

That One Guysays:

Re:

Security costs money and therefore cuts into quarterly profits now and for as long as you keep them running.

Security breaches by and large impact customers and the costs to deal with them are something that future company gets to deal with if and when they happen.

Lastly penalties for shoddy security have historically been in the ‘slap on the wrist and stern warning to be more careful in the future’ range such that they’re not in any real way a deterrent and are thus vastly outweighed by the first point.

It’s sadly really easy to explain events like this without having to dip into the realm of political corruption(well, other than captured regulatory agencies).

Theo Felixsays:

Re:

Yes, you are right. That’s ridiculous. Come on we are living in the 21st century and with the advancement in technologies, there should be an advancement in cyber security as well. How much time these capitalists will take to FIX things with their data security? Why don’t they have secure servers? Why do they have weak spots to get breached?
Excuses are not enough now!

Theo Felixsays:

Re:

Yes, you are right. That’s ridiculous. Come on we are living in the 21st century and with the advancement in technologies, there should be an advancement in cyber security as well. How much time these capitalists will take to FIX things with their data security? Why don’t they have secure servers? Why do they have weak spots to get breached?
Excuses are not enough now!

Eve Hymansays:

The personal information of over 53 million people is compromised due to the poor management of T-Mobile. The hack for users’ names, addresses, DOBs, phone numbers, and even Social Security numbers happen and users get to know about this through media. That’s high time for concerning this massive data breach and an apology is not enough for it.

Eve Hymansays:

The personal information of over 53 million people is compromised due to the poor management of T-Mobile. The hack for users’ names, addresses, DOBs, phone numbers, and even Social Security numbers happen and users get to know about this through media. That’s high time for concerning this massive data breach and an apology is not enough for it.

Cora Gerardsays:

Re:

Users are frustrated. They want their data to be safe as they trust the company with it. It should be a priority of a company to keep it safe. And in case if any issue happens, they should have informed the customers through a notification or anything like that. Is it too much to ask for? Really disappointed to see the news!

Mark Shanesays:

T-Mobile and other companies like that don’t really pay attention to secure user data because there is no evocative privacy law for this digital internet era. There should be meaningful investing in how these companies work to secure the user’s data. Without any law and order, meaningful oversight, and penalties imposition, the user will continue to suffer. The impact of these breaches on the user will be more than one can think. And neither user is compensated for all these malicious activities. It has happened for the seventh time and now it has become crucial for these companies to work on encryption.

Mark Shanesays:

T-Mobile and other companies like that don’t really pay attention to secure user data because there is no evocative privacy law for this digital internet era. There should be meaningful investing in how these companies work to secure the user’s data. Without any law and order, meaningful oversight, and penalties imposition, the user will continue to suffer. The impact of these breaches on the user will be more than one can think. And neither user is compensated for all these malicious activities. It has happened for the seventh time and now it has become crucial for these companies to work on encryption.

Theo Felixsays:

I am in awe to read that the hacker conducted an interview with the wall street journal. The extra apology from the CEO of T-Mobile was not impulsive. He apologized when the hacker referred to T-Mobile’s consumer privacy as “awful”. LOL. It’s really surprising that they suck at the security and protection of users’ data.

Theo Felixsays:

I am in awe to read that the hacker conducted an interview with the wall street journal. The extra apology from the CEO of T-Mobile was not impulsive. He apologized when the hacker referred to T-Mobile’s consumer privacy as “awful”. LOL. It’s really surprising that they suck at the security and protection of users’ data.

That One Guysays:

Re:

‘Any database of user information must include the same amount and type of personal information relating to the CEO and other executives of the company, secured no more and no less than other user information’, pass a regulation like that and you could watch in real time as companies switch from indifference to suddenly showing a very real interest in proper security no matter how it might ding their quarterly profits.

Probably not legal or constitutional but is is a pleasant thought at least as it would certainly solve the problem.

That One Guysays:

Re:

Security costs money and therefore cuts into quarterly profits now and for as long as you keep them running.

Security breaches by and large impact customers and the costs to deal with them are something that future company gets to deal with if and when they happen.

Lastly penalties for shoddy security have historically been in the ‘slap on the wrist and stern warning to be more careful in the future’ range such that they’re not in any real way a deterrent and are thus vastly outweighed by the first point.

It’s sadly really easy to explain events like this without having to dip into the realm of political corruption(well, other than captured regulatory agencies).

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it