T-Mobile closes breach entry point, adds consultants to fix security holes

Dive Brief:

T-Mobile, working with FireEye's Mandiant on the investigation, closed the entry points a hacker used to gain access to its servers, CEO Mike Sievert said in a statement Friday. "We are confident that there is no ongoing risk to customer data from this breach."
The telecommunications company is "unable to disclose too many details," as it works with law enforcement, but Sievert said the intruder used "their knowledge of technical systems" to break into T-Mobile's testing environments using brute-force attack methods. The hacker's goal was to gain customer data, and "they succeeded," he said.
To improve cybersecurity moving forward, T-Mobile entered into a long-term partnership with Mandiant and consulting firm KPMG. The partnerships are part of a larger, multi-year investment to improve T-Mobile's strategy and adopt best practices, Sievert said.

Dive Insight:

T-Mobile's data breach, the latest in a string of breaches in recent years, compromised upwards of 54 million current, former and prospective customers. The breach was a lesson in how storing unused data can turn into a liability.

The hacker who claimed credit, John Binns, gained access to T-Mobile's customer database because "their security is awful," he said, in messages to The Wall Street Journal. The 21-year-old used stored credentials to illegally access more than 100 servers.

Vice's Motherboard was first to report the data leak, after a dark web forum listed the customer data for sale. The auctioneer was looking for $270,000 in exchange for millions of Social Security numbers and driver licenses. It is unknown if Binns was working alone or with other dark web affiliates.

While class action lawsuits mount against T-Mobile, the Federal Communications Commission is also launching an investigation into the breach because of the telecommunication company's failure to protect consumer data. The breach will also raise questions for customers protected by the California Consumer Privacy Act and other state data privacy laws.

The incident could have far-reaching effects from a business standpoint. Earlier this month, Moody's said "the incident is credit negative because of the financial, reputational and legal costs associated with data breaches," while amplifying T-Mobile's previous hacks. However, the company's previous breaches "appear to be more immaterial compared with this recent incident," Moody's said.

"While other U.S. mobile carriers have disclosed cyber incidents in recent years, none has done so as frequently as T-Mobile. The repeated incidents raise questions about T-Mobile’s cyber risk governance and management practices," Moody's said. This conclusion was drawn after a July survey found companies in the tech and telecommunications industries typically have the strongest cyber governance practices.

T-Mobile, after acquiring Sprint in 2018, is among the top-three cellular carriers in the U.S., next to AT&T and Verizon. Though end-of-year reporting will better outline the business impact on T-Mobile, the average total cost of a data breach is almost $3.9 million, according to IBM's 2020 Cost of a Data Breach report. U.S.-based companies also tend to see the highest price tags relating to a breach.