Roughly 37 million T-Mobile customers have had their information stolen in a data breach, according to a statement published by the company late last night. Fortunately, T-Mobile has said that while hackers accessed names, addresses, and dates of birth, they were not able to access more sensitive information such as Social Security or credit card numbers.
But according to Sam Curry, Chief Security Officer at Cybereason, “what is or isn’t sensitive is an important question to ask. Whether or not sensitive data and financial information was lost, isn’t the point. Customer information is a privilege to hold, not a right; and while it’s great that T-Mobile’s network wasn’t compromised in this instance, and that outright theft wasn’t enabled through loss of direct billing numbers, eroding privacy and making it easier for hackers to compromise identities is still important and sensitive.”
T-Mobile has also revealed the hacker leveraged an application programming interface (API) to obtain the data. This isn’t the first time a major telecom has been hit with a data breach at the hands of an API issue – just last year the Australian organisation Optus suffered a similar fate, being forced to allocate $140m to rectify the issue.
An attack of this magnitude was bound to make waves in the industry, and experts are waiting with baited breath for the results of T-Mobile’s investigation.
“It appears that T-Mobile moved quickly and, while the details aren’t yet known, the world is paying attention to the results of this investigation. Hackers are innovative, and companies with valuable data and services are always a target, but it remains to be seen if the compromises in 2023 are similar to the ones suffered by T-Mobile in 2021. Did the company learn from 2021? Was 2023 unique? Was this a case this time around if anyone can fail occasionally or is it worse than that? Only time and the facts will tell us and tell T-Mobile and fellow practitioners what the new lessons-to-be-learned are,” Curry continued.