T-Mobile’s violations are much more serious than the actual situation


In email Overnight, T-Mobile shared about It confirmed the data breach At Monday afternoon. They are not great. Various data from more than 48 million people were leaked. Although this is less than the 100 million originally advertised by the hackers, the vast majority of people affected are not T-Mobile’s current customers at all.

On the contrary, T-Mobile said that of the people whose data was leaked, more than 40 million were former customers or potential customers who applied for credit from the operator. The other 7.8 million are current “post-paid” customers, which just refer to T-Mobile customers who receive bills at the end of each month. The full names, dates of birth, social security numbers and driver license information of approximately 48 million users were stolen. The names, phone numbers and PINs of another 850,000 prepaid customers (pre-funding their accounts) were exposed. The investigation is ongoing, which means that statistics may not stop there.

There is no good news here, but the slightly less bad news is that the vast majority of customers’ phone numbers, account numbers, PINs, passwords, or financial information do not seem to have been leaked. However, the bigger question is whether T-Mobile really needs to retain such sensitive information about the 40 million people with whom it currently does not do business. Or, if the company wants to store this data, why not take better precautions to protect it.

“Generally speaking, in terms of the type of information that the company can retain about us, it is still the Wild West of the United States,” said Amy Keller, a partner at DiCello Levitt Gutzler, who led the collective against Equifax litigation.This Credit bureau violations in 2017“I’m surprised, I’m not surprised. I think you can say that I’m depressed.”

Privacy advocates have long advocated the concept of data minimization, which is a fairly self-explanatory approach, encouraging companies to retain as little information as necessary.European General Data Protection Regulation This approach is codified, requiring personal data to be “sufficient, relevant and limited to the necessary content related to the purpose of processing”. There are currently no similar books in the United States. “U.S. privacy laws Those involved in data minimization usually don’t need it,” Keller said, “but recommend it as a best practice. “

Unless the United States adopts comprehensive privacy laws similar to GDPR or state-level legislation, such as California Consumer Privacy Act Start to take a hard line-data minimization will still be an unfamiliar concept. “Generally speaking, according to U.S. law, collecting and retaining sensitive data of potential customers and former customers is not consumer fraud, but a routine matter,” said David Opud, co-director of the Institute of Law, Science and Technology at Seton Hall University. Baker said. Although it seems inappropriate for T-Mobile to keep detailed records of millions of people who may have never become its customers, there is nothing to stop it from doing so as long as it wants to.

Now, these former and potential customers, as well as millions of current T-Mobile users, find themselves the victims of data breaches beyond their control. “The first risk is identity theft,” said John LaCour, founder and chief technology officer of PhishLabs, a digital risk protection company. “This information includes name, social security number, driver’s license ID: as all the information that someone needs to apply for credit.”

It may also be easier for hackers to achieve the so-called SIM swap attack, LaCour said, especially for prepaid customers who exposed their PIN and phone number. In the SIM exchange, hackers transplant your number to their own device, usually to intercept SMS-based two-factor authentication codes, making it easier to break into your online account. T-Mobile did not respond to WIRED’s inquiry about whether the international mobile device identification number is also related to the violation; each mobile device has a unique IMEI, which is also very valuable to the SIM switch.

T-Mobile implemented some preventive measures on behalf of the victims; it provided two-year identity protection service provided by McAfee’s ID Theft Protection Service, and it had reset the PIN codes of 850,000 exposed prepaid customers. It recommends but does not force all current post-paid customers to also change their PIN codes, and provides a service called “Account Takeover Protection” to help prevent SIM swap attacks. It also plans to publish a “one-stop information” website on Wednesday, although the company did not say whether it will provide any type of inquiries to see if you are affected by the violation.


Source link