Maybe it's time to regulate privacy to make the retention of personally-identifying information illegal for companies that have no need to retain it. PII should be considered legally radioactive. There's no excuse for a mere wireless carrier to need your SSN.
Or maybe it's time to do away with SSN as a form of authentication. If there is a single person in the US that hasn't had theirs be stolen by now, I'd be shocked.
I can revoke a cert that has been compromised. I don't understand why we don't have a similar procedure set up for my PII.
T-Mobile does not require any identification to get a prepaid phone line. You can submit whatever name you'd like for the line. There's no SSN requested either.
Any requirements imposed at a local store are specific to your State. If you really want to get one without providing any PII, get the line in a different State.
Not providing information is the first step of limiting the blast radius of data leaks.
T-Mobile screams coupon-clipping to me, and that's the entire reason I've avoided it. Sounds stupid, but AT&T has been fine. Worth paying a little more.
They will also give the discount if you use a debit card. I'm pretty sure the reason for this is because FedNow launches this summer (usa is finally getting nationalized instant payments) and the qualifying information is your debit card or checking details.
I just replaced the credit card on my up my account with a Privacy.com virtual debit card with a monthly spending limit for that card equal to my bill. It seems to still be giving me the AutoPay discount but I’ll wait and see when my May bill comes in a few days.
Keep in mind, these are the ones we know about. I would imagine there could be many, many more. I work for a large health care company. We've had several breaches already this year. None have been made public and users were never notified.
Unless the press or some independent researcher like Krebs digs something up, its often times rare a company will make this stuff public.
Go do a year in IR if you want some inside perspective -- and to shave a few years off your existence. Sounds about normal for a large telecommunications firm. These large firms don't have 30+ person IR teams on round the clock shifts distributed worldwide because nothing ever happens. T-Mobile just has some transparency and likely actual monitoring in place to detect these breaches instead of them just floating by until some threat actor sells the data somewhere public.
I use their network via Mint is because they do not require any ID. I buy SIM cards with cash. Breaches like this don't matter for me since they have no personal information.
T-Mobile also has (had?) an issue of poorly secured customer service devices. I'd consider each of those instances to be a breach, although at a smaller scale.
> The information obtained for each customer varied but may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines
wow, pretty much everything. great. How have they not learned from the last SEVEN times?! Can they be sued for this? Can they be fined by the government for this?
I just logged in and when I tried going to my profile section I just got a screen that said "Access restricted". Maybe because I'm logging in from my work laptop which I've never done before. I guess this is how they are trying to deal with the issue, preventing access of sensitive info from "suspicious" logins.
This would be a lot less problematic if we in the US wouldn't constantly use an ID as a authentication secret. Usage of social security numbers as a auth secret needs to be treated as a national emergency. Won't happen though because most our Congress people are geriatric and don't understand technology and the industry would push back on any change because it would cost then money.
I used to "half-joke" about wanting everyone's SSN published in one big fat breach. I don't joke about it now. I really do want every single SSN to be published somewhere with the associated identities. It seems like nothing short of that will convince banks and other sensitive institutions to give up on using it as a secret.
Then, once the SSN can't be plausibly relied upon to authenticate people, these industries will have to do the hard work themselves.
> I used to "half-joke" about wanting everyone's SSN published in one big fat breach. I don't joke about it now
The 2017 Equifax breach was 40+% of americans. As far as I can tell, it barely changed anything about using SSNs as username and password for identity and credit. It maybe helped end user fees for credit freezes. Based on the response to that breach, I don't think a full dump would change anything either. I don't know what it was like before this breach, but identity fraud doesn't seem to get any investigation these days --- a year or so, someone rented an Oakland luxury apartment and tried to open two credit cards in my spouse's name and social security number, and Oakland PD didn't follow up at all.
Yeah, but even that breach isn't a public thing. The contents of it, I mean. Like, I can't go to a site somewhere and just look up people's names and find out their socials.
That's what I'm hoping for. A full database dump of everybody's SSN that's made embarrassingly public, so people can see just how useless SSNs are. I could enter "Marvin Garrison, DOB 1974-04-20" and get Marvin's SSN.
A torrent file, made available for even a short period of time, would be preserved forever and put the final nail in the coffin.
I know this sounds like some nerd version of Fight Club, but I stand by it :)
But wouldn't that require a lot more personal information to be in the leak than just Name/SSN? At least DOB, and sometimes more would be required. Therefore that would be a huge and damaging leak that would encompass more than just SSNs. Be careful what you wish for.
Yeah, let's keep it to stuff that's already widely known. First, Last, DOB. That's it.
Sure, there will be duplicates. John Miller, born on 10/10/1963 will happen a dozen times maybe. Will still be effective in destroying the SSN as a magic key.
You don't have to prove damages, just negligence. T-Mobile has a fiduciary duty to protect your private details. The problem is you'll be lumped into to some class action suit and handed a payout for pennies on the dollar while the lawyers laugh all the way to the bank. If individuals started suing it would be an absolute nightmare for T-Mobile. I'd happily pay the 40 dollars for a small claims court fee, but thankfully I'm not a customer of this bozo operation.
I have proof they made an error on my name that they always refused to fix and I receive all kind of scams and attacks with those.
Robinhood that has a different one has the exact same problem. But they are almost entirely crypto scams by email.
"division" is not the right term for it. They are really different companies, even though the majority owner is the same and they use similar branding. T-Mobile US wasn't created by T-Mobile Germany expanding, but rather through Telekom buying US carriers and rebranding them, and thus they don't share infrastructure or corporate structures.
This seems to be happening very often. Boost mobile got (allegedly) ransomwared a few months ago. There customer facing systems were down for more than a week. It’s a mess.
This number seems oddly low. My first instinct is not to trust that this was reported honestly. But if it is accurate, why was it so low? Perhaps there's something else very interesting about this breach they're not disclosing (not that they would provide more than the bare minimum amount of information required anyways).
The announcement was from the Maine AG. I presume these are all customers in Maine. It’s likely customers in other states were affected as well, but this has not been announced.
Remember this will happen again and again and again and again and again and again and again and again and again until America actually gets some proper data protection/privacy laws. You should consider all your data insecure and expect it to be breached at some point - as soon as it leaves your device you are no longer in control.
I can't imagine a provider being hacked in the EU 9 times being able to get away with not changing its practices/being fined into oblivion.
Pretty much this. I cant seem to find it now but I read a study late last year that data breaches/hacks have almost no impact to the share price, no impact on customer base and consequently no impact to the leadership of a company. Thus, leadership is less likely to invest in security and privacy of their users.
All my data has been leaked so often now by various companies, including my W2 when a past employer got spear phished. Meanwhile I have a really good contract with T-Mobile and been very happy with the service. Both in terms of connectivity and in-store service. While I'm upset about this, I'm not gonna go through the hassle of moving to a different service provider, all of whom have bad reputations anyways.
This is one of my big concerns with T-mobile acquiring Mint (or any other provider). T-mobile has a terrible track record for security, and companies that it acquires will likely inherit some of those vulnerabilities.
I would not be surprised if T-Mobile keeps Mint's systems separate from their current systems. They haven't even figured out how and/or have no interest in being able to handle T-Mobil prepaid and T-Mobile postpaid from the same system, so I doubt that they will be able to fold in an outside system.
Seriously, when I switched from T-Mobile postpaid to T-Mobile prepaid it was like changing carriers. New SIM, different website, mobile app does not work with prepaid accounts [1], different payment methods accepted, and more.
If it weren't for the branding and the prepaid website being a subdomain of t-mobil.com someone looking at both would not guess that they are the same company.
[1] It says "Sorry we're not ready for you. We're working on improving your app experience". It's been that way for many years, and whenever anyone asks about it on the T-Mobile forums someone from T-Mobile says they are working on it.
Lol, maybe the second line should be “Make changes that destroy programmer productivity while doing nothing to address security, and claim that it is a new security policy”. T-mobile didn’t pioneer the concept of using offshore fraudulent contractors and consultants to build your core IT infrastructure, but they certainly perfected it.
T-Mobile must have very good security to be able to detect these breaches. Most companies (and government) have terrible security and just assume everything is fine because they never hear about any problems. Of course, you will never hear about any problems if you have no active detection and investigation capability.
The worst thing about having your SSN leaked in a breach is that you can’t get a long-term credit lock until after you’ve already suffered identity theft.
You need to show evidence you’ve had your identity stolen before you can safely prevent it from happening. The whole industry is exactly backwards.
I used to work for T-Mobile. I suspect that they get breached so often due to age of one of their primary billing systems, which is written in PowerBuilder.
I had just started using Mint mobile and then I find out a month later that T-Mobile is acquiring them, now this... there was a reason I never wanted to use T-Mobile. Guess I gotta find another provider... again
67 comments
[ 3.9 ms ] story [ 136 ms ] threadIt's just a hassle to move so I stay because of inertia (read: laziness).
I can revoke a cert that has been compromised. I don't understand why we don't have a similar procedure set up for my PII.
Any requirements imposed at a local store are specific to your State. If you really want to get one without providing any PII, get the line in a different State.
Not providing information is the first step of limiting the blast radius of data leaks.
There is no way in hell I’m giving T-mobile my checking account info.
Are there companies with a worse track record than this? Seems like they get breached way more than average.
Unless the press or some independent researcher like Krebs digs something up, its often times rare a company will make this stuff public.
https://github.com/n0sec1/n0sec-blog/blob/main/data/blog/how...
wow, pretty much everything. great. How have they not learned from the last SEVEN times?! Can they be sued for this? Can they be fined by the government for this?
I just logged in and when I tried going to my profile section I just got a screen that said "Access restricted". Maybe because I'm logging in from my work laptop which I've never done before. I guess this is how they are trying to deal with the issue, preventing access of sensitive info from "suspicious" logins.
The system is broken. There is no accountability whatsoever. You have no power to change any of this. It's all fucked.
Then, once the SSN can't be plausibly relied upon to authenticate people, these industries will have to do the hard work themselves.
The 2017 Equifax breach was 40+% of americans. As far as I can tell, it barely changed anything about using SSNs as username and password for identity and credit. It maybe helped end user fees for credit freezes. Based on the response to that breach, I don't think a full dump would change anything either. I don't know what it was like before this breach, but identity fraud doesn't seem to get any investigation these days --- a year or so, someone rented an Oakland luxury apartment and tried to open two credit cards in my spouse's name and social security number, and Oakland PD didn't follow up at all.
That's what I'm hoping for. A full database dump of everybody's SSN that's made embarrassingly public, so people can see just how useless SSNs are. I could enter "Marvin Garrison, DOB 1974-04-20" and get Marvin's SSN.
A torrent file, made available for even a short period of time, would be preserved forever and put the final nail in the coffin.
I know this sounds like some nerd version of Fight Club, but I stand by it :)
Sure, there will be duplicates. John Miller, born on 10/10/1963 will happen a dozen times maybe. Will still be effective in destroying the SSN as a magic key.
How many times is it going to take for them to actually take this seriously?
This number seems oddly low. My first instinct is not to trust that this was reported honestly. But if it is accurate, why was it so low? Perhaps there's something else very interesting about this breach they're not disclosing (not that they would provide more than the bare minimum amount of information required anyways).
The intrusion lasted that long and only data of 836 subscribers was affected?
That's a weirdly low figure for having over a MONTH of access to their systems. What did they hack, a barely used fax-machine?
I can't imagine a provider being hacked in the EU 9 times being able to get away with not changing its practices/being fined into oblivion.
Seriously, when I switched from T-Mobile postpaid to T-Mobile prepaid it was like changing carriers. New SIM, different website, mobile app does not work with prepaid accounts [1], different payment methods accepted, and more.
If it weren't for the branding and the prepaid website being a subdomain of t-mobil.com someone looking at both would not guess that they are the same company.
[1] It says "Sorry we're not ready for you. We're working on improving your app experience". It's been that way for many years, and whenever anyone asks about it on the T-Mobile forums someone from T-Mobile says they are working on it.
Make some bare minimum changes due to budget constraints.
Get hacked again.
Make a statement.
Hire security consultant.
....
You need to show evidence you’ve had your identity stolen before you can safely prevent it from happening. The whole industry is exactly backwards.
https://www.usa.gov/credit-freeze