Hacker Taunts T-Mobile, Calls Its Security 'Awful'
from the fool-me-once dept
It's historically always been true that however bad a hack scandal is when initially announced, you can be pretty well assured that it's significantly worse than was actually reported. That's certainly been true of the recent T-Mobile hack, which exposed the personal details (including social security numbers) of more than 53 million T-Mobile customers (and counting). It's the fifth time the company has been involved in a hack or leak in just the last few years, forcing the company's new(ish) CEO Mike Sievert to issue yet another apology for the company's failures last Friday:
Our investigation into the cybersecurity attack against @Tmobile & our customers is substantially complete. We didn’t live up to the expectations we have of ourselves to protect customer data. Here's how we're taking our security efforts to the next level.
— Mike Sievert (@MikeSievert) August 27, 2021
The extra apology didn't come unprompted. It came after the hacker involved in the data breach conducted an interview with the Wall Street Journal (paywalled, here's an open alternative) in which he explained T-Mobile's overall consumer privacy and security protections as "awful":
Binns gained access to the servers after discovering an unprotected router by scanning T-Mobile's internet address for weak spots, The Journal reported. Over 53 million people had personal information compromised in the hack such as names, addresses, dates of births, phone numbers, Social Security numbers, and driver's license information."
In short he didn't so much as "hack" T-Mobile as he walked straight through an open door. Customers say they didn't know about the breach until the media did, prompting them to wonder why, if privacy and security is such a priority for a company like T-Mobile, they had to learn about the incident from somebody else:
"It just frustrates me, honestly," Richards said. "If our data is a priority for you guys to keep safe, how come I haven't gotten a notification or anything like that?"
Of course T-Mobile, like countless other American companies, isn't incentivized to actually secure user data because we don't have a meaningful privacy law for the internet-era. In most cases, the most companies like this see are a week of bad headlines and a few regulatory wrist slaps -- assuming U.S. regulators have the time or resources to pursue any kind of meaningful investigation at all. Without meaningful oversight and penalties the impact on consumers is often little more than an afterthought, and the most they get is another round of "free credit reporting" -- something they've already obtained from the last seven times their personal information wasn't properly secured.
Then of course there's the relentless "growth for growth's sake" mindset in telecom and other sectors that results in a near-mindless obsession with consolidation (often at the cost of anything else). T-Mobile has spent much of the last five years kissing Donald Trump's ass to gain regulatory approval for its job and competition eroding merger with Sprint. How much of the time spent pursuing their heavily criticized megadeal (and the follow up network integration) could have gone toward actually securing the company's servers, routers, and overall network?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: data breach, hackers, leak, mike sievert, security
Companies: t-mobile
Reader Comments
Subscribe: RSS
View by: Time | Thread
Its to late for excuses.
How many years will it take for people to Stop and FIX things like Servers and access to the net?
This has been going on to long to be an excuse. These folks are Supposed to be top of the line support and building of our infrastructure. ISP, Phone, Cell phone, Internet, Cable and sat TV. WTF is going on.
Did everyone goto basic Windows as a server, NOT the server version that Charges you a yearly fee? How many Pentium 5 systems are being used for internet servers? They could be using a Dos based system, and it would work better, as you Really dont need the graphics on a server, Windows NT would fit the bill and be safer then what is happening.
Forget all that, GO BACK TO LINUX/UNIX based systems. As one person mentions, its a pain to get setup, but there is a TON more security you can build into it.
(still would like to know what server prog All these break-in's happened to)
I know! its an automated Admin/sysop. And no one pays attention to it as 'The computer did it'.
[ link to this | view in chronology ]
These companies need to work to protect customer data as hard as they work to keep the CEO's personal cell phone number from their own customers.
[ link to this | view in chronology ]
Re:
'Any database of user information must include the same amount and type of personal information relating to the CEO and other executives of the company, secured no more and no less than other user information', pass a regulation like that and you could watch in real time as companies switch from indifference to suddenly showing a very real interest in proper security no matter how it might ding their quarterly profits.
Probably not legal or constitutional but is is a pleasant thought at least as it would certainly solve the problem.
[ link to this | view in chronology ]
'Any security at all is a huge hurdle here at T-Mobile...'
T-Mobile: We didn’t live up to the expectations we have of ourselves to protect customer data.
Hacker: Yeah I basically just walked through the digital equivalent of an unlocked 'employees only' door that was propped open and had the key sitting on a rock next to it just in case.
If they didn't live up to their own expectations and their security was that bad how low were their expectations and how sad/horrifying is it that they still failed to meet them?
[ link to this | view in chronology ]
"In most cases, the most companies like this see are a week of bad headlines and a few regulatory wrist slaps -- assuming U.S. regulators have the time or resources to pursue any kind of meaningful investigation at all." <<< this. We have some regulations here that say all customer service must provide records of all interactions upon request of face fines. Of course you only want these records when you run into problems. And of course when it happens they magically "lose" the records. Because the fine is so ridiculously low and without consequences for repeated offenses that it's worth for them to avoid actually paying for their mistakes.
Other examples? We had two major residue dams rupture in Mariana and Brumadinho here. When Brumadinho happened, the companies had paid virtually nothing in damages so no incentives to fix their security procedures. And to this day they haven't paid even the bare minimum to relieve the victims and families or to actually make a dent in their revenues. Tic toc when is the next disaster going to happen? It's a matter of when the nextr breach/disaster will happen, not if. And the govts are in no hurry to hold these bastards accountable.
[ link to this | view in chronology ]
Re:
I wasn't very clear: Mariana happened a few years before Brumadinho.
[ link to this | view in chronology ]
Has anyone looked to see if any credit monitoring companies are making large donations to congresspeople?
I mean how else can one explain the complete inaction on this issue?
[ link to this | view in chronology ]
Re:
Security costs money and therefore cuts into quarterly profits now and for as long as you keep them running.
Security breaches by and large impact customers and the costs to deal with them are something that future company gets to deal with if and when they happen.
Lastly penalties for shoddy security have historically been in the 'slap on the wrist and stern warning to be more careful in the future' range such that they're not in any real way a deterrent and are thus vastly outweighed by the first point.
It's sadly really easy to explain events like this without having to dip into the realm of political corruption(well, other than captured regulatory agencies).
[ link to this | view in chronology ]
When most of the letters
in the CEO's last name spell SIEVE, it's no wonder the company leaks.
[ link to this | view in chronology ]
Another day, another company, and another hack. People are tired of trusting these companies with their data privacy. In the end, all they do is apologize. Why don’t they explain that why it is a customer in the end who suffers. Why don’t the CEO, and other people from higher management?
[ link to this | view in chronology ]
T-Mobile got exposed because of its unprotected router. The hacker Binn gained access to the servers by scanning T-Mobile's internet address for weak spots. It is not the first time this is happening. And this time they even did not know about this? That’s ridiculous.
[ link to this | view in chronology ]
Re:
Yes, you are right. That’s ridiculous. Come on we are living in the 21st century and with the advancement in technologies, there should be an advancement in cyber security as well. How much time these capitalists will take to FIX things with their data security? Why don’t they have secure servers? Why do they have weak spots to get breached?
Excuses are not enough now!
[ link to this | view in chronology ]
The personal information of over 53 million people is compromised due to the poor management of T-Mobile. The hack for users’ names, addresses, DOBs, phone numbers, and even Social Security numbers happen and users get to know about this through media. That’s high time for concerning this massive data breach and an apology is not enough for it.
[ link to this | view in chronology ]
Re:
Users are frustrated. They want their data to be safe as they trust the company with it. It should be a priority of a company to keep it safe. And in case if any issue happens, they should have informed the customers through a notification or anything like that. Is it too much to ask for? Really disappointed to see the news!
[ link to this | view in chronology ]
T-Mobile and other companies like that don’t really pay attention to secure user data because there is no evocative privacy law for this digital internet era. There should be meaningful investing in how these companies work to secure the user’s data. Without any law and order, meaningful oversight, and penalties imposition, the user will continue to suffer. The impact of these breaches on the user will be more than one can think. And neither user is compensated for all these malicious activities. It has happened for the seventh time and now it has become crucial for these companies to work on encryption.
[ link to this | view in chronology ]
I am in awe to read that the hacker conducted an interview with the wall street journal. The extra apology from the CEO of T-Mobile was not impulsive. He apologized when the hacker referred to T-Mobile’s consumer privacy as “awful”. LOL. It’s really surprising that they suck at the security and protection of users’ data.
[ link to this | view in chronology ]
Re:
The solution to these types of breaches only lies in honesty. If the company thinks of users’ data as important as the data of their CEO’s phone, the breach will never happen. They should secure users’ data the same as they secure the data of the CEO.
[ link to this | view in chronology ]
Re:
Yeah, She is right. It's not too difficult to be dedicated to securing users’ data. It is not a matter of legalization or constitutional but it will solve the issue and the CEO will never have to apologize on social media platforms like that again. Period
[ link to this | view in chronology ]