Meghan Briskey
T-Mobile, one of the largest mobile carriers in the United States, has a troubled history with inadequate security measures for customer data. Since 2018, T-Mobile has had 4 high-profile attacks that have exposed millions of customer data.
Pattern of Data Breaches
The first major attack happened in 2018 when hackers were able to gain access to T-Mobile systems due to a misconfigured firewall. From this over 30 million customers’ data was leaked, including names Social Security Numbers, driver’s licenses, addresses, phone numbers, account information, and date of birth. The impact of this breach was substantial. The exposed information puts millions of customers at risk of identity theft, financial fraud, and other malicious activities. T-Mobile faced significant backlash from customers, regulators, and industry experts, raising questions about the company’s ability to safeguard sensitive data.
In response to the breach, T-Mobile took several steps to improve its security measures, including hiring additional security personnel, investing in new security technologies, and implementing stricter security policies and procedures. The company also offered affected customers two years of free credit monitoring and identity theft protection services.
But that was only the beginning, in 2021 T-Mobile was hit with another attack. This time from its vulnerable API. The API would allow other applications to communicate with each other and hackers were able to gain access and extract customer data. This time over 7 million prepaid customers were affected. The breach was initially discovered by T-Mobile on January 5, 2022, after noticing “unusual activity” on its American networks. The company then conducted an investigation and determined that the breach had occurred in August 2021. T-Mobile publicly disclosed the breach on January 19, 2022. With this second attack, concerns were starting to be raised about T-mobile security practices.
A year after T-Mobile disclosed their 2021 breach, they were hit yet again. More vulnerabilities to their API that were not fixed from their previous breach caused 37 million customers’ data to be leaked. What did T-Mobile do? They announced that they knew what the vulnerability was and were taking steps to fix it.
But we’re not done… In August 2023, T-Mobile disclosed that it had experienced yet another data breach that affected over 50 million postpaid customers. The breach was caused by hackers who exploited a vulnerability in T-Mobile’s SMS gateway to gain access to customer information. The stolen data included names, addresses, phone numbers, and driver’s license numbers. Again, T-Mobile stated that it had identified the vulnerability and took steps to remediate it.
What happened to T-Mobile?
The government has taken action against T-Mobile in response to the data breaches. In 2022, T-Mobile agreed to pay $350 million to settle a class action lawsuit filed over the 2021 data breach. The settlement was one of the largest data breach payouts in U.S. history. In addition to the civil lawsuit, T-Mobile has also been investigated by the Federal Communications Commission (FCC) and the Federal Trade Commission (FTC). The FCC is investigating T-Mobile’s data breach notification practices, while the FTC is investigating whether T-Mobile engaged in unfair and deceptive trade practices. The government’s actions against T-Mobile are a sign that the company needs to take its cybersecurity responsibilities more seriously. The company has a history of data breaches, and it needs to do more to protect its customers’ data. In the investigations, T-Mobile was found to be using outdated encryption algorithms for its customer data. In 2018, the company was found to be using the A5/1 encryption algorithm for its GSM network, which was considered to be outdated and vulnerable to attack. The company upgraded to the A5/3 encryption algorithm in 2017, but this algorithm was also considered to be weak. In 2021, T-Mobile was again criticized for using outdated encryption algorithms when it was discovered that the company was using the GEA-1 encryption algorithm for its 2G network. This algorithm was developed in the 1990s and was considered to be so weak that it was never publicly released. In 2022 they upgraded their encryption for user data to AES-256.
In response to the criticism, T-Mobile has pledged to improve its cybersecurity practices. The company has hired additional security staff, invested in new security technologies, and implemented stricter security policies and procedures. However, it remains to be seen whether these measures will be enough to prevent future breaches. T-Mobile needs to take immediate and decisive action to address its cybersecurity vulnerabilities and restore customer trust.
All the government did was investigate and fine T-Mobile. Should they have pushed some sort of cyber security practices?
What are the ethical implications of companies using weak encryption algorithms to protect customer data?
How can companies balance the need for security with the need for convenience when it comes to data encryption?
Sources
Belanger, A. (2022, July 25). T-Mobile to pay $500M for one of the largest data breaches in US history [Updated]. Ars Technica. https://arstechnica.com/tech-policy/2022/07/t-mobile-to-pay-500m-for-one-of-the-largest-data-breaches-in-us-history/
Cimpanu, C. (2018, August 24). T-Mobile detects and stops ongoing security breach. BleepingComputer. https://www.bleepingcomputer.com/news/security/t-mobile-detects-and-stops-ongoing-security-breach/
Corkery, M. (2022, July 23). T-Mobile reaches $500 million settlement in huge 2021 data breach. The New York Times. https://www.nytimes.com/2022/07/22/business/t-mobile-hacking-settlement.html
Cox, J. (2022, April 12). T-Mobile secretly bought its customer data from hackers to stop leak. It failed. https://www.vice.com/en/article/k7w9mv/tmobile-hacked-bought-data-mandiant
Reuters. (2023, January 20). T-Mobile data breach exposes about 37 mln accounts. Reuters. https://www.reuters.com/technology/t-mobile-says-investigating-data-breach-affecting-37-mln-accounts-2023-01-19/
Segal, E. (2021, August 18). T-Mobile data breach underscores importance of crisis management best practices. Forbes. https://www.forbes.com/sites/edwardsegal/2021/08/18/t-mobile-data-breach-underscores-importance-of-key-crisis-management-best-practices/
Stempel, J., & Merken, S. (2022, July 22). T-Mobile to pay $350 mln in settlement over massive hacking. Reuters. https://www.reuters.com/business/media-telecom/t-mobile-pay-350-mln-settlement-over-massive-hacking-2022-07-22/
RIT Cyber Security Policy and Law Class Blog 
You must be logged in to post a comment.