For the second time in a matter of four months, T-Mobile announced it has suffered a data breach. Cyber-security experts say it’s a cautionary tale about the vulnerabilities of e-mail accounts that are not properly secured.
T-Mobile disclosed the latest breach in a recent notice to customers. “Our cyber-security team recently identified and shut down a malicious attack against our e-mail vendor that led to unauthorized access to certain T-Mobile employee e-mail accounts, some of which contained account information for T-Mobile customers and employees,” the company stated.
The information accessed may have included customer names and addresses, phone numbers, account numbers, rate plans and features, and billing information. Financial information, including credit card information, and Social Security numbers were not impacted, T-Mobile said.
“We are not aware of any evidence where the information contained in the affected e-mail accounts has been used to commit fraud or otherwise misused,” the company stated. T-Mobile said it immediately reported the data breach to federal law enforcement and is “actively cooperating in their investigation.”
This is the second known data breach the mobile carrier has suffered in recent months. In another notice to customers, issued in November 2019, T-Mobile said its cyber-security team, again, identified and shut down “malicious, unauthorized access” associated with its prepaid wireless accounts. In that incident, hackers compromised much of the same information as that reported in the latest breach, including name and billing addresses; phone numbers; account numbers; and rate plan and features.
Following the latest breach, T-Mobile said it is “always working to enhance security, so we can stay ahead of this type of activity and protect our customers. We also are reviewing our security policies and procedures to enhance how we protect these systems.”
Broader industry warning
“It is very concerning that T-Mobile has suffered yet another data breach,” says Tony Pepper, CEO of software company Egress. “This should serve as a timely reminder to any company that the handling, processing, and storing of customer data should be its number one priority, even when at rest in third-party systems.”
Today, technologies like contextual machine-learning “can make e-mail safe without railroading productivity, helping to prevent common breaches like misdirected emails and also ensuring the right level of encryption is applied to sensitive data,” Pepper says. “In this case specifically, encryption at rest could have been used to help prevent hackers accessing the data stored in these e-mail accounts.”
Announcement of the T-Mobile breach comes a week since the Federal Communications Commission proposed a fine against T-Mobile—along with the three other largest wireless carriers in the United States—for allegedly selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.