T-Mobile’s most recent hack (there have been a few) compromised the sensitive personal information of more than 54 million people, including names, addresses, Social Security numbers, and driver’s licenses. According to CEO Mike Sievert, a lone hacker conducted a brute force attack on multiple servers containing the user data.
21-year old hacker John Binns has claimed responsibility for the attack, and in speaking with the Wall Street Journal, referred to T-Mobile’s security as “awful.”
T-Mobile’s track record is indeed awful. The company was breached at least twice in 2020, another two times in 2019, once in 2018, and another time in 2016. Even in an era defined by a seemingly endless parade of data breaches, T-Mobile stands out.
The list of security fails isn’t limited to data breaches. T-Mobile is fighting myriad customer lawsuits for SIM-swapping attacks, which is when a criminal transfers a victim’s cell phone number to a new device to bypass 2-factor authentication, gain access to sensitive account information and commit other identity-related crimes.
A sampling of the lawsuits:
- The loss of $55,000 in Bitcoin when a T-Mobile employees provided “unauthorized access to Plaintiff’s account and SIM data.”
- Another $450,000 in Bitcoin lost as a result of a similar attack.
- $8.7 million in a 2017 SIM-swapping scam that made two subsequent hacking incidents posible in 2018 and 2019 even after T-Mobile was alerted about the security issue.
Dozens, if not hundreds more stories from customers can be found online, including on T-Mobile’s own forums.
This is not to suggest that T-Mobile is unique in having experienced a data breach on a massive scale; Verizon, P.F. Chang’s, Experian and several federal agencies can attest to this. Nor is it to say that SIM-swapping is unique to T-Mobile. Other mobile carriers have faced similar lawsuits.
Where T-Mobile stands out is in the frequency of these incidents. While many companies and organizations find themselves repeatedly in the crosshairs of threat actors, few if any have been so consistently shown to have been compromised due to lax security with little to show for anything resembling course correction.
“Keeping our customers’ data safe is a responsibility we take incredibly seriously and preventing this type of event from happening has always been a top priority of ours,” said T-Mobile CEO Mike Sievert about its most recent breach.
If this sounds familiar, it should. Here’s a T-Mobile spokesperson saying almost the same thing in 2019. “We have a number of safeguards in place to protect personal information from unauthorized access, use, or disclosure. Fortunately, we discovered this activity quickly and shut it down immediately.” This about a breach that exposed the personal data of 1 million customers.
And again:
“We take the security of your information very seriously and have a number of safeguards in place to protect your personal information from unauthorized access. We truly regret that this incident occurred and apologize for any inconvenience this has caused you,” stated an official statement from T-Mobile on its website in 2018 about another breach.
And again:
“I take our customer and prospective customer privacy very seriously. This is no small issue for us,” said then-CEO John Legere in 2015 of another data breach affecting customers between 2013 and 2015.
While no company or organization can fend off all cyberattacks, T-Mobile could be doing better and if it continues to fail on such a grand scale, perhaps it’s time for a class action suit that forces them to do better.