I was a happy customer of T-Mobile for around 10 years. Until I moved out into the county and was forced to switch. It seems like temblor has gone down hill since acquiring sprint. But this isn't the first time something like this has happened at T-Mobile. Seems as if they have a 2-3 year cadence of data incidents.
This. I was a TMo customer from when they were Voicestream until about five years ago, then again 3 years ago. Had to switch to VZW so the college kids got signal. This is what, the third or fourth time they've had a data breach? We will not be going back. Ever.
It starts to look like these are not breaches but instead could be sales of customer account info by insiders that are then reported as breaches by external bad actors.
This is far too regular an occurrence for T-Mobile. I have never been a customer of theirs and so far as I know my info has never leaked from my cell provider. Unfortunately I was caught up in more than one other major data breach over the last 10 years so it is all out there but still, when one company has this many similar breaches it starts to look like planned events.
>The company said it identified malicious activity on Jan. 5 and contained it within a day, adding that no sensitive data such as financial information was compromised.
> However, some basic customer information was obtained, such as name, billing address, email and phone number, T-Mobile said.
Is this not sensitive information? That all qualifies as PII.
Plus, another article [0] goes on to add "dates of birth, T-Mobile account numbers and information describing the kind of service they have" which gets me wondering about social engineering against CSRs, leading to a wave of SIM hijacking and the like.
In the UK (arising from GDPR so I would assume EU as well), sensitive personal data is an enhanced category of PII which requires more considered handling.
This would include things like race, health conditions, disabilities, sexual orientation, political views - basically things that you wouldn't expect T-Mobile to be storing.
It is all PII. At the same time, all of this is often readily available for free from local government websites — this data and more are present for anyone who registers to vote in Seattle (maybe King County?), in a downloadable spreadsheet.
I hate that this information is out there. For most of us it’s one in a series of unwanted disclosures. I care and disapprove on principle but I don’t think I’m compromised any more than I already am.
In these breaches there always seem to be two tiers of data, sensitive data that remains secure and less sensitive data that is leaked. This shows to me that companies are capable of securing sensitive data in most cases, and don't care as much about less sensitive data (even if it is PII). Maybe all data should be encrypted at rest, in transit, etc. and not just passwords, socials, and credit card numbers.
I'm tired of this crap. Can we just say all businesses have to pay $10,000 direct to each customer for each data breach?
Furthermore, to prevent government scope creep, can we say the $10,000 comes from the dynastic wealth of whatever congress critters backed whatever bills required the companies to collect the stolen data in the first place?
There is no reason for the cell company to even know who its customers are, beyond dealing with sim card replacements. That could be handled without requiring PII.
It needs to be company ending, and it needs to be owed to the customers so that the courts cannot negotiate it down (preferably, it would be first priority when apportioning company assets in any bankruptcy proceedings). That would force them to price out insurance policies, and then decide if paying $2500/yr per customer (since TMO has a breach like this every few years…) is greater than or less than the value the get from the data in the first place.
The other necessary fix here is making lenders liable for not verifying the identity of a borrower.
Individuals should not have to spend time proving they did not borrow money, lenders should be liable for any losses if they want to save money and extend credit with just a SSN/name/address verification.
No, that's impossible. No one would want to start a business, ever if you could just be wiped out because some vendor's vendor fucked up. If you want that, then we need like a free tax funded federal MSP.
Good, the whole point is that if you aren't willing to take responsibility for the information you are storing, you shouldn't be storing it. So businesses without the will to do that will shut down, the rest will be more hardened, or less willing to stored data they don't actually need.
That’s a massive cooling factor in the biz env, it starts to have huge negative impact. Over time, the regulatory environment causes US to lose edge, declining salaries, quality of life.
Nope. You’ve clearly never worked in IT. There is no perfect solution. And the closer to perfect you get, the system becomes harder and harder to use, maintain, and modify.
The companies using it didn't (generally) have a commercial relationship with the authors, so I'm comfortable leaving the users holding the responsibility. Fair question, though... I might even prefer to make liability only follow services, not code. So if you make a SaaS that takes PII, that's you're problem. If you publish code that can hold PII, that's still the problem of whoever uses it on PII.
My 89-year-old mother uses a T-mobile prepaid plan on her flip phone. A text message that addresses her by name might fool her into getting phished. Plenty of “personal information״ has leaked.
Yeah, but my mother is incapable of managing an address book or using a smartphone with those types of features.
In the past I told her to ignore every text message no matter how urgent or convincing it looks. Fortunately, she can't figure out how to read old messages so once a message times out and disappears from the screen she won't see it again.
You get $25 or actual damages with documentation. (Californians get $100 instead of $25 because of some law.)
As part of this settlement, T-Mobile is also agreeing to spend an extra $150 million on information security during 2022 and 2023. I guess that money didn't get spent yet or it didn't work. (See section 5 in the actual agreement at https://www.t-mobilesettlement.com/home/1552/DocumentHandler...)
> "Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network"
Why do companies always try to sugarcoat things? Its analogous to doctor gives us bad news but shows us the silver-lining. I guess these are more of the PR side of things.
Definitely not an endorsement since I’m not an expert on the company, but I recall Cloudflare giving incredibly honest and transparent write-ups when they’ve had service issues in the past.
The target for the communication is investors. I read it to say "Price in the costs for a garden variety data breach, but not a CPRA-specific class action."
Bingo. The average T-Mobile user doesn't really understand what a breach is, and the handful of network engineer / tech nerds here on HN getting angry about it is superfluous to their bottom line. They're talking to investors, and maybe ISP Peers.
Data breach and unlawful data processing penalties should be painful so lack of investments in security would mean something more than just momentary bad press.
It should REALLY hurt. Like strong financial penalties and CEO going to jail-hurt or at least board of directors throwing the CEO on the pavement-hurt.
For now, it's just a potential slap-on-the-wrist cost of doing business which companies like T-Mobile or Google are very happy to risk time and again.
So, a CEO runs a company which uses another company to host their servers which uses an operating system built by another company, and runs on hardware built by yet another company and has a processor built by another company yet again.
Every one of those is a potential security hole. Now who do you want to send to jail again?
I get it, it’s frustrating. But the reason we haven’t solved this problem is because it’s both complicated and complex.
People responsible for making decisions - usually holding a title of CxO. Judges are not unreasonable - if a CEO is responsible for cutting corners on security spending, it's something different than a faulty hardware (say, intel CPUs) which "everyone" uses.
I agree. unless the one who stole the data comes and lays out the exact preventable vulnerability they exploited, this is just going to result in businesses paying through the roof for fake assurances of security from middlemen, indirectly passing the cost on to consumers/society.
Punishment is complex, but the solution isn’t. It could be mandated that companies are only permitted to request & store information that is necessary to provide the service. A telco literally requires zero data from its users in order to provide a service. Maybe only payment details for postpaid.
For GDPR, it does not matter where a company is headquartered. GDPR applies to EU citizens (users, customers). That's why big companies often comply with GDPR for EU citizens but completely ignore it for people outside. It would be interesting to see if that's the case for T-Mobile. If the leak exposes GDPR violations, fines will most likely follow.
When it comes to mobile carriers it's common for them to lease the name off each other as to appear the same even though it's different companies. The T-Mobile from Germany may be a totally different (though equally shitty) company than the T-Mobile we're talking about here.
For example, financial companies are required to get reams of highly sensitive data to do KYC checks. The thing is, most companies would greatly prefer NOT to have to access and store this data, but they are legally required to. As a data point, when Stripe came out with their Stripe Identity product, many were surprised that, unlike their credit card processing where a merchant never gets to see any card data, with Stripe Identity the full image of highly sensitive data like drivers' licenses and passports are available to the Stripe clients. But the reason for this is that KYC rules require this data to be available to financial institutions. See top comment on https://news.ycombinator.com/item?id=27502993 and Patrick Collison's response.
IMO the only way this problem will ever be solvable is with some sort of broad-based tokenization solution. It's just impossible for most large companies to keep this data secure forever.
> financial companies are required to get reams of highly sensitive data to do KYC checks.
The real problem is that the data is considered sensitive in the first place. It's essentially publicly available data at this point and entities that want to extend credit to a particular individual should not be able to solely rely on that data to extend credit.
The law needs to be changed to allow an individual to sue creditors and credit bureaus for libel when they accuse them of failing to pay or defaulting on a line of credit.
Doesn't a CEO make something like 100 times an average employee? What does all that money buy? Shouldn't it go to someone who can on some level promise that they'll solve the hard problems and/or take responsibility?
My bank has not leaked any of my private info.
And it has not allowed other than me to use my account.
I suppose their systems are subject to the same risks you listed.
So it is possible - isn't it?
Fine them $1500 per account breached, per PII attribute taken. From the other posts it looks like at least 4 attributes were taken. So that is $1500 x 4 x 37M = $222B. I think $222B is a paltry sum compared to the amount of damage that was probably caused by this, but let’s settle for $222B anyway. Breaches like this should end the company forever and the C-Suite should go to prison for criminal negligence. I am sick and tired of this.
Alright, sure. But you need to prove negligence. It's impossible to write perfect code right? You really have to prove whatever breach/error happened wasn't on purpose and wasn't due to gross negligence.
Heaven if you like living in a world where it takes months to ship even simple software. Don't get me wrong, I think we're too sloppy most of the time, but it's a trade off, not one sided.
> Imagine a world where all software is written using formal methods
(emphasis mine)
I would be much more agreeable to enforcing higher quality for more important things, including ex. systems that store PII for large numbers of people.
> Last year, Bellevue, Washington-based T-Mobile agreed to pay $350 million and spend an additional $150 million to upgrade data security to settle litigation over a cyberattack in 2021 that compromised information belonging to an estimated 76.6 million people.
And they were still breached. "gross negligence" definitely comes to mind.
Ancient Rome was filled with unsound residential development that yielded a lot of profits to anyone with means and influence to erect buildings. They would regularly collapse but common people had little access to legal protection.
Now we have strict building codes and thousands of buildings with dozens upon dozens of floors that can resist hurricanes and earthquakes.
Software development is barely 3 generations old. One day we will have sound engineering and fairly solid systems on a scale we can't even fathom today. But it will take a lot of collective learning. For now rickety systems can hoover enough value for their owners that they are still getting built all over the place.
Calling T-mobile’s security “ludicrous” would be a compliment. For a company with their resources, especially after multi-billion $ injection from ATT’s failed merger, they are so bad at it, it’s inconceivable. I don’t know who they’re hiring or contracting with to secure their systems and design their protocols, but they are garbage.
So much of enterprise level 'cybersecurity' is a box ticking exercise on one side and snake oil selling on the other. I have seen so many 'security products' presentations where you basically just tag resources versions and scan the tags, it's such an obvious scam. But the GUI looks awesome and they use 'AI'! sight
It's all just a big compliance and cost x benefit balance act. We won't get any real security at scale until damages actually hurt insurers enough that they actually invest in understanding and mitigating the problems.
That's exactly my impression of what's going on at T-mobile. With the ATT settlement they could have hired the best from security research community and/or the whitehat community to design and implement world class systems, protocols, and procedures - Apple and Google level stuff. But they seem to instead be doing exactly what you describe.
Not defending t-mobile here, but perhaps the local talent pool wasn't interested in solving security problems for a telco when just up the street either of AWS or MSFT could give them planet scale security problems to sink their teeth into.
I do not have much of an internet presence at all - no facebook, instagram, whatsapp, etc. However, my entire identity has been leaked several times over from this and other leaks. Even if I never signed up for anything online at all, I'm still screwed from the credit bureau leaks.
This issue is my "abortion" issue. What I mean is, I don't care who the candidate is, how immoral or unlikable they are. If they run punishing companies for data leaks, I will vote for them instantly.
I think this type of legislation will be about as helpful as punishing a toddler for falling over.
The root issue is that we are complacently pretending that any entity is capable of ensuring long-term security of a million-datapoint database of valuable information while at the same time thousands of their employees are allowed to work with it.
Yes to the second part, no to the first part. Let's punish these entities until the cost of storing (and leaking) my personal data is too high for them to stomach.
Genuine question, how many big leaks have Facebook, Microsoft, Google, Apple, etc experienced? If even companies paying top tier rates cannot manage the problem, I am unsure what recourse there is.
Well, right now there is no particularly strong incentive to perform well in this area for anyone (FAANG included), so I'm not sure past performance is indicative of future performance under a hypothetical ultra-strict punishment-happy regime.
The companies shouldn't be storing it, full stop. I really hope they levy enormous fines, so much so companies are afraid to store much data, and punt that to a third party for liability reasons. That third party, in a perfect world, would by nature have to have some of the best of the best, and take this seriously.
My old boss was working in this space a decade ago. Private data brokers you control, that companies would have to ask for info, pending your approval and such. As you might imagine in the era of sell everything you can, the idea never took off.
Well, you keep a record obviously, just not full data.
In a broker scenario, the company would access it as and when needed, on a permission basis. The cool thing about such a model is that if and when you move, change phone numbers, employment, etc, you'd only have to update it in one place! The last time I moved, I think I had to change it in about 20 places. Why does every company need to independently save my address?
I don’t think we need to do it in this particular case, but unlike a toddler we should be fine with punishing a company into non-existence.
Companies are just ideas that exist to help society run more smoothly, if one racks up enough penalties that it goes under, that’s good enough proof that it isn’t doing its job.
Never used T-Mobile, yet the last T-Mobile breach, I received a postcard from them offering me credit security services because they leaked my information. Turns out that data was from the early 2000's when cell phone store employee checked to see what services I can apply for... WTF!
"adding that no sensitive data such as financial information was compromised"
"some basic customer information was obtained, such as name, billing address"
Yeah THIS is why I vehemently disagree with KYC laws, especially those requiring a street address. I shouldn't have to tell someone where I sleep to use their business.
Breaches like this enable stalkers, thieves, domestic violence, lots of bad things.
Over the last 24 months, I have seen some weird increasing rate of vulnerable API endpoints in my own research. One of which would allow a bad actor direct access to over $2BB in funds (from a major organization worth more than $10BB), another plain-text credit card numbers and billing addresses (same application as the first); another were more plain-text credit card numbers (much smaller org, but still sizable). Both attacks were alarmingly non-trivial and would be scored as critical.
Why this trend is seemingly increasing, I don't know.
It is a scam - on multiple levels - first you get credit monitoring, but to the companies, it's a sales lead to try to sell you more of their protection / reports. It'd be a shame if something were to happen to your credit score.
Second, if a financial institution lent money to someone pretending to be me and this damages the rating these credit bureaus assign to me, why do I have to get involved? We have, as a society, let these companies get away with making us believe their lack of due diligence is our fault.
I don't know enough about the law to know why we can't sue these companies for libel.
Or even better; by federal law, cancel all bonuses, stock buyback and dividend for 3 years, for any company that leaked data about any person, anywhere in the world trough a data breach. And fine them accordingly, so the saved money don't just pile up for a late pack-back 3 years later.
To be honest, my name, billing address, email, and phone number have been compromised so many times by so many companies by now that I just don’t care any more. I’m about to do my once-a-decade phone number switch anyway. As long as my password/hash and payment info wasn’t compromised, that’s the main thing I care about.
When there are little to no consequences, it will keep happening. We need severe penalties for losing sensitive data, as in, an actual threat to the survival of a company, not some minuscule fine.
I don't disagree that this is sensitive, but isn't it wild to think that only 15 years ago, Yellow Pages was sending directories of name, address, and phone number of everyone in your area.
The book with people’s names, addresses, and phone numbers was the “white pages” or simply “phone book”. The book with business numbers and ads was the Yellow Pages. Get off my lawn.
Yes, I too remember the times when my telecomms provider printed my address into a phone book and sent it out to eastern scammer for them to target me. /s
119 comments
[ 2.2 ms ] story [ 220 ms ] threadThis is far too regular an occurrence for T-Mobile. I have never been a customer of theirs and so far as I know my info has never leaked from my cell provider. Unfortunately I was caught up in more than one other major data breach over the last 10 years so it is all out there but still, when one company has this many similar breaches it starts to look like planned events.
> However, some basic customer information was obtained, such as name, billing address, email and phone number, T-Mobile said.
Is this not sensitive information? That all qualifies as PII.
[0] https://www.cnn.com/2023/01/19/tech/tmobile-hack/index.html
This would include things like race, health conditions, disabilities, sexual orientation, political views - basically things that you wouldn't expect T-Mobile to be storing.
I hate that this information is out there. For most of us it’s one in a series of unwanted disclosures. I care and disapprove on principle but I don’t think I’m compromised any more than I already am.
Not after T-Mobile breach.
Also, this type of PII got leaked very often by now.
https://www.sec.gov/Archives/edgar/data/1283699/000119312523...
Furthermore, to prevent government scope creep, can we say the $10,000 comes from the dynastic wealth of whatever congress critters backed whatever bills required the companies to collect the stolen data in the first place?
There is no reason for the cell company to even know who its customers are, beyond dealing with sim card replacements. That could be handled without requiring PII.
Yes, exactly. It's indeed a massive value that's been stolen from the customers.
Individuals should not have to spend time proving they did not borrow money, lenders should be liable for any losses if they want to save money and extend credit with just a SSN/name/address verification.
I don't trust any message from anyone not in my address book. Even then, sender can be spoofed, but it's less likely.
In the past I told her to ignore every text message no matter how urgent or convincing it looks. Fortunately, she can't figure out how to read old messages so once a message times out and disappears from the screen she won't see it again.
BTW, if you were in the previous breach, the deadline for making a claim under the class action settlement is in 4 days (January 23, 2023):
https://www.t-mobilesettlement.com/
You get $25 or actual damages with documentation. (Californians get $100 instead of $25 because of some law.)
As part of this settlement, T-Mobile is also agreeing to spend an extra $150 million on information security during 2022 and 2023. I guess that money didn't get spent yet or it didn't work. (See section 5 in the actual agreement at https://www.t-mobilesettlement.com/home/1552/DocumentHandler...)
Well, some consultants are getting paid. Not so much the people who were actually harmed.
Why do companies always try to sugarcoat things? Its analogous to doctor gives us bad news but shows us the silver-lining. I guess these are more of the PR side of things.
It should REALLY hurt. Like strong financial penalties and CEO going to jail-hurt or at least board of directors throwing the CEO on the pavement-hurt.
For now, it's just a potential slap-on-the-wrist cost of doing business which companies like T-Mobile or Google are very happy to risk time and again.
So, a CEO runs a company which uses another company to host their servers which uses an operating system built by another company, and runs on hardware built by yet another company and has a processor built by another company yet again.
Every one of those is a potential security hole. Now who do you want to send to jail again?
I get it, it’s frustrating. But the reason we haven’t solved this problem is because it’s both complicated and complex.
People responsible for making decisions - usually holding a title of CxO. Judges are not unreasonable - if a CEO is responsible for cutting corners on security spending, it's something different than a faulty hardware (say, intel CPUs) which "everyone" uses.
Mostly we call those trade offs, with this huge gray area where we argue about whether something is a trade off or unreasonably cutting corners.
Again, these are difficult problems to address. The social aspect of getting humans to agree on something like this is hard.
For example, financial companies are required to get reams of highly sensitive data to do KYC checks. The thing is, most companies would greatly prefer NOT to have to access and store this data, but they are legally required to. As a data point, when Stripe came out with their Stripe Identity product, many were surprised that, unlike their credit card processing where a merchant never gets to see any card data, with Stripe Identity the full image of highly sensitive data like drivers' licenses and passports are available to the Stripe clients. But the reason for this is that KYC rules require this data to be available to financial institutions. See top comment on https://news.ycombinator.com/item?id=27502993 and Patrick Collison's response.
IMO the only way this problem will ever be solvable is with some sort of broad-based tokenization solution. It's just impossible for most large companies to keep this data secure forever.
The real problem is that the data is considered sensitive in the first place. It's essentially publicly available data at this point and entities that want to extend credit to a particular individual should not be able to solely rely on that data to extend credit.
The law needs to be changed to allow an individual to sue creditors and credit bureaus for libel when they accuse them of failing to pay or defaulting on a line of credit.
https://www.cnn.com/2021/02/26/politics/solarwinds123-passwo...
But serious security could hamper business growth and in the end shareholder value - not security nor morality - counts.
In a capitalist world information security lapses is just the cost of doing business.
[1] https://en.wikipedia.org/wiki/Formal_methods
> Imagine a world where all software is written using formal methods
(emphasis mine)
I would be much more agreeable to enforcing higher quality for more important things, including ex. systems that store PII for large numbers of people.
And they were still breached. "gross negligence" definitely comes to mind.
Now we have strict building codes and thousands of buildings with dozens upon dozens of floors that can resist hurricanes and earthquakes.
Software development is barely 3 generations old. One day we will have sound engineering and fairly solid systems on a scale we can't even fathom today. But it will take a lot of collective learning. For now rickety systems can hoover enough value for their owners that they are still getting built all over the place.
Already had to freeze my credit reports because of last time, this new breach is ridiculous.
It's all just a big compliance and cost x benefit balance act. We won't get any real security at scale until damages actually hurt insurers enough that they actually invest in understanding and mitigating the problems.
This issue is my "abortion" issue. What I mean is, I don't care who the candidate is, how immoral or unlikable they are. If they run punishing companies for data leaks, I will vote for them instantly.
The root issue is that we are complacently pretending that any entity is capable of ensuring long-term security of a million-datapoint database of valuable information while at the same time thousands of their employees are allowed to work with it.
My old boss was working in this space a decade ago. Private data brokers you control, that companies would have to ask for info, pending your approval and such. As you might imagine in the era of sell everything you can, the idea never took off.
In a broker scenario, the company would access it as and when needed, on a permission basis. The cool thing about such a model is that if and when you move, change phone numbers, employment, etc, you'd only have to update it in one place! The last time I moved, I think I had to change it in about 20 places. Why does every company need to independently save my address?
Companies are just ideas that exist to help society run more smoothly, if one racks up enough penalties that it goes under, that’s good enough proof that it isn’t doing its job.
Most of that used to be published in print and sent out to everyone. Do they still make phoneboks?
"some basic customer information was obtained, such as name, billing address"
Yeah THIS is why I vehemently disagree with KYC laws, especially those requiring a street address. I shouldn't have to tell someone where I sleep to use their business.
Breaches like this enable stalkers, thieves, domestic violence, lots of bad things.
Over the last 24 months, I have seen some weird increasing rate of vulnerable API endpoints in my own research. One of which would allow a bad actor direct access to over $2BB in funds (from a major organization worth more than $10BB), another plain-text credit card numbers and billing addresses (same application as the first); another were more plain-text credit card numbers (much smaller org, but still sizable). Both attacks were alarmingly non-trivial and would be scored as critical.
Why this trend is seemingly increasing, I don't know.
Credit monitoring always seemed to me like a scam ala antivirus, but in all fairness I have never purchased it either.
That should fix the problem.
> "some basic customer information was obtained, such as name, billing address, email and phone number"
Yup definitely no sensitive data there
Comparing apples and oranges.
> However, some basic customer information was obtained, such as name, billing address, email and phone number, T-Mobile said.
This isn't even the first time they got breached and yet it has happened again. They have not learned anything.
I think it is time that we stop using phone numbers as a login mechanism. It has always been a completely stupid idea from the beginning of its use.
Let the SIM swapping attacks and identity theft games begin.