On August 17, 2021, T-Mobile learned that a bad actor illegally accessed personal data and stole data on 50 million customers. For perspective, 50 million is nearly 15% of the US population.
Beyond the sheer scale, this breach is significant for many reasons particularly for the reminders it holds.
First, don’t be “lax” about security.
The 21-year-old hacker taking responsibility for this breach said T-Mobile was lax with security. His way in was an unprotected router exposed on the internet which he found with a simple scanning tool available to the public.
This puts the importance of cybersecurity hygiene in the spotlight. It also reinforces why conducting penetrating testing and vulnerability assessments on a regular basis are critical. Oh, and don’t forget patching to close known vulnerabilities quickly along with security monitoring for anomalies in the environment.
Next, remember employees are your weak link.
T-Mobile outlined that the following types of business and personal information were exposed.
- Business information: name, federal tax ID, business address, contact name and business phone number.
- Personal information: names, drivers’ licenses, government identification numbers, Social Security numbers, dates of birth, addresses and phone numbers.
This information is gold to hackers and as a result easily sold on the Dark Web. Here’s what it means to your business:
- Employees reuse passwords for personal and business accounts. This means their T-Mobile password may very well also be their corporate password. This is why you need both stringent password policies as well as Multi-Factor Authentication (MFA). MFA should be a non-negotiable for all businesses today.
- Hackers now have valuable content for their social engineering scams, which they can aim directly at your users and business. We’ll say it again, employees are often the weakest link in security. Businesses must invest in training and running regular phishing tests.
Third, dark web scanning.
Seriously, the data from this breach is likely for sale on the dark web. The cost of continuous dark web scanning for employees is nominal and often included in managed cybersecurity offerings. Take the time to deploy for all your users and encourage them to provide their personal email addresses as well.
Fourth, use this as an opportunity to revisit your Mobile Device Management (MDM) technology and policies.
Mobile endpoints provide a direct path into corporate networks, especially in today’s work-from-anywhere environment. Take the time to properly secure them.
Here’s just a few examples of what MDM enables:
- The ability to track all devices accessing corporate data and information
- Secure wireless access on individual devices and other network security features
- Security systems on devices that separate company apps from personal apps
- Capability to remotely lock a device that’s been lost, wipe any sensitive data from a stolen device, or restore functionality to a found phone with backed-up data
- Logging and reporting capabilities for end-user activity
Finally, here’s a reminder of how T-Mobile is helping impacted customers.
- Offering two years of free identity protection services with McAfee’s ID Theft Protection Service to any person who believes they may be affected;
- Recommending that all eligible T-Mobile customers sign up for free scam-blocking protection through Scam Shield;
- Supporting customers with additional best practices and practical security steps like resetting PINs and passwords; and
- Publishing a customer support webpage that includes information and access to these tools at https://www.t-mobile.com/brand/data-breach-2021