Hackers have stolen the personal data of millions of T-Mobile’s customers, according to a blog post from CEO Mike Sievert on August 27, 2021. The data includes the names, driver’s license numbers and Social Security numbers of up to 40 million current and former T-Mobile customers, although credit card information wasn’t compromised. Sievert added that T-Mobile failed to “live up to the expectations we have for ourselves to protect our customers.”
Large-scale attacks like this have been happening for years, illustrating the continual arms race between hackers and defenders. However, the U.S. government has significantly increased its pressure on private companies to improve their cybersecurity during the last few months.
Allie Mellen, security analyst for research firm Forrester, reports that this latest breach is the fourth in five years for T-Mobile, suggesting that its security isn’t up to the task of protecting data from today’s hackers. It’s difficult to determine exactly why this keeps happening from the outside, but Mellen states that the simplest explanation is that T-Mobile simply isn’t making the effort needed to protect its customers. Mellen goes on to say that the company has “shown time and time again that they don’t care about the safety of their customers’ data.”
Tech publication Motherboard initially reported T-Mobile’s most recent breach on August 15, 2021. The company confirmed the attack two days later, saying it was under investigation and calling it “highly sophisticated.” Mellen disputes this assertion, claiming that it wasn’t sophisticated at all. He adds that companies routinely use this phrase to deflect blame for the attack. The Wall Street Journal (WSJ) reported on August 26, 2021 that John Binns, a 21-year-old American in Turkey, was taking credit for the attack, saying that he was able to access an unprotected router on T-Mobile’s network. The claim appears credible because Binns provided the WSJ with details of the attack before they were widely known.
Sievert says that T-Mobile has patched the security vulnerabilities that allowed the hacker to access the server. However, he declined to provide details, citing an ongoing investigation by law enforcement agencies. Sievert added that the hacker had knowledge of T-Mobile’s systems and used specialized tools to carry out the attack. He also stated that consumer data wasn’t at further risk from this breach and that T-Mobile would be working to regain the trust of its customers.
Data breaches on the scale of the most recent T-Mobile incident have been steadily increasing over the last few years, meaning the personal information of almost every American is available for sale on the internet. Ransomware attacks are particularly troublesome since they also prevent companies from accessing the data after the breach. As a result, U.S. politicians are developing legislation that will require companies to protect the data they possess.
President Biden signed an executive order in May 2021 after a ransomware attack resulted in the shutdown of the Colonial Pipeline. This order requires federal agencies and their contractors to improve their cybersecurity standards. Legislators have also proposed a law that would require organizations that support critical infrastructure to meet minimum requirements. The U.S. Senate passed this bill in August, which includes $2 billion in funding but will cost an estimated $1 trillion to fully implement.