News

T-Mobile data breach damaging to reputation, industry says

T-Mobile shop 1.jpg

Despite only affecting a small number of customers, T-Mobile suffering yet another data breach can still be “highly damaging” to the company’s reputation and customer trust, Erfan Shadabi, cybersecurity expert at Comforte AG says.

Over the weekend, T-Mobile disclosed its second data breach of the year, after the first affected more than 37 million people earlier this year.

This time around the incident only impacted 836 customers, however, the information exposed was said to be “highly extensive” and exposes people to identity theft and phishing attacks.

“As a telecommunication company, T-Mobile collects vast amounts of sensitive data from its customers, such as names, addresses, and social security numbers,” Shadabi says.

“Any breach, no matter how small, can lead to devastating consequences, including financial losses, legal issues, and damage to brand reputation. Additionally, data breaches can attract regulatory scrutiny and penalties, leading to additional costs and complications.”

Overall, Shadabi says, it is essential for companies to prioritise the protection of customer data to mitigate the risk of cybersecurity attacks.

A robust cybersecurity strategy that employs advanced technologies and practices such as tokenisation or format-preserving encryption should be implemented to safeguard customer data and ensure the security of a company’s reputation, he adds.

T-Mobile response

In a response, T-Mobile said: "In March 2023, the measures we have in place to alert us to unauthorised activity worked as designed and we were able to determine that a bad actor gained access to limited information from a small number of T-Mobile accounts between late February and March 2023," the company said in data breach notification letters sent to affected customers.”

T-Mobile was keen to stress that call records and personal financial account information were not accessed.

Customers who were impacted have had their PINs reset by T-Mobile and are being given two years of free credit monitoring and identity theft services.

After the first attack of the year, the operator agreed to pay US$350 million to settle customer claims and to spend another US$150 million to enhance its cybersecurity practices.

The incident is the ninth cyber hit on T-Mobile since 2018.

Brad Freeman, director of technology at SenseOn added: “Securing a mobile ISP is exceptionally challenging due to the number of bespoke technologies in use. Services including call centers, apps, websites, billing, APIs, CRM, ERP as well as data, call and voicemail handling need complex integrations.

Whilst T-Mobile has a poor track record of data breaches, he says, their peers have also performed poorly.

Recent data breach incidents from Verizon and AT&T show that telecoms companies have become prime targets of cyberattacks in recent months.