This week, T-Mobile announced that hackers obtained the personal information of millions of customers in a ransomware attack. While the telecommunications giant said that 40 million users had their data compromised, the thieves themselves claimed they made off with information from more than 100 million people. This includes customers’ names, phone numbers, and addresses as well as other sensitive data such as social security numbers, drivers license information, and PIN numbers.

T-Mobile added that no passwords or account numbers were taken by the hackers, but experts stress that the information the thieves took could still be used for illegal purposes. “This is ripe for using the phone numbers and names to send out SMS-based phishing messages that are crafted in a way that’s a little bit more believable,” said Crane Hassold, threat intelligence director at the firm Abnormal Security. For instance, a scammer could use information obtained from the hack to create fake T-Mobile ads that appear targeted to a specific user. If that person then clicks on a phony link, their computer or smartphone could be instantly infected.

According to security experts, individuals are largely responsible for looking after their own data, even in the event of a major breach like the one against T-Mobile. “We should not have to opt out of using services in order to protect ourselves,” said Yuan Stevens, a researcher at Ryerson University who has studied a 2018 hack of T-Mobile. “Instead institutions should be responsible for protecting consumer data.” But even if major companies manage to develop the latest and greatest data security measures, they still have to keep up with the ever-changing methods of hackers working in the shadows. “The security programs most companies have are just struggling to keep up,” said information security expert Daniel Miessler.

Questions:

1. How could criminals potentially use the data obtained in the T-Mobile hack to target customers?
2. Do you think major companies like T-Mobile should take more responsibility for protecting customer data? Why or why not?

Sources: Isabella Grullón Paz, “T-Mobile Says Hack Exposed Personal Data of 40 Million People,” The New York Times, August 18, 2021; Brian Barrett, “The T-Mobile Data Breach Is One You Can’t Ignore,” Wired, August 16, 2021.