T-Mobile Hacked, Information on 100 Million Users Stolen
In what has become all-too-routine news, cellular carrier T-Mobile has confirmed that hackers broke into its systems, stealing the personal data of many millions of users. Motherboard discovered the data being sold on an underground forum, with the seller claiming that they had data on 100 million customers. T-Mobile says it has kicked the hackers out of its systems, but not before they took off with customer names, phone numbers, physical addresses, social security numbers, driver license information, and IMEI numbers.
Unfortunately, there isn’t much you can do about such breaches other than making sure you don’t reuse the same passwords across multiple sites (although passwords don’t seem to have been part of this particular breach) and keeping an eye on your financial accounts and credit report.
Absent any reasonable regulator intervention, is there a simple explanation as to why consumers can’t just sue T-Mobile to the tune of something that will actually hurt?
It appears companies (at least here in the US) keep losing people’s sensitive data because they obviously don’t have that much to fear. Making their negligence more painful to them and their shareholders (i.e. hitting their bottom line) could get them to start caring.
I’m sure there could be suits, but class-action suits tend to only benefit the lawyers.
And I’m sure if you read the fine print of your service contract, there will be something that releases them of liability, which will make a lawsuit even more difficult and expensive.
This is all true, but if there are enough complaints, a local government might step in:
New York city recently won a case, and victims were compensated:
But the main purpose would be to hurt businesses to provide an economic incentive to take security seriously.
I’m not a lawyer, but it’s my understanding that one can’t hide behind the terms of a contract to excuse negligence. The problem would be to prove that a company acted negligently. I don’t know if we know enough yet about what happened at T-Mobile to determine that the company wasn’t taking reasonable precautions to guard against a breach.
Unfortunately, it seems that even when a company appears negligent—the Equifax breach comes to mind—all they seem to get is what amounts to a slap on the wrist these days. It’s not surprising that many businesses seem to take a relatively lax attitude toward securing their systems.
All correct. A contract isn’t a get-out-of-jail-free card, but it does raise the bar for any suits.
And unless it’s a very extreme case, the worst that happens from these suits is some bad press. The companies either absorb the penalty or they pass along the costs to their customers.
Yes, the affected victims will get something, but it’s rarely enough to even bother mentioning. Note the link @MMTalker shared. $9.6M was paid out to 164,400 people - each got $58. I would be surprised if that comes even close to the amount of actual damages.
I just got something like $3.26 from some Google+ class action settlement. Trying hard not to spend it all in one place.
Yeah, so obviously, damages are far too low.
What is then preventing a lawsuit (again assuming the Feds don’t finally step in) that really makes a dent? Say $10B (roughly T-Mobile USA’s profits from the last 3 years). That should probably be enough to make a more lasting impression. And of course create an economic incentive not to lose people’s sensitive data again.
Even in the event they pass that on 100% to their customers, that’s still fine. It puts them at a competitive disadvantage compared to their competitors, which again creates a strong incentive not to be idiots again in the future.
If we keep on letting these things happen without any serious repercussions, wouldn’t that make use fools to believe this should ever get better? Or are we just content with the way things are so need to change anything?
One of the questions is what the actual damages to individuals are. With my snarky comment about Google+, I didn’t suffer any damages at all as far as I know, so maybe $3.26 was too much.
The other problem is that it’s hard to prove negligence, especially as systems grow ever more complex and the sophistication of the attackers increases. There’s a real difference between failing to change default admin passwords on consumer-level gear and falling prey to an expert attack that relies on a zero-day.
So yeah, many of us want to nail the idiots to the wall, but it doesn’t feel like there’s an easy way to know when that’s appropriate.
$3.26? I got $2.15 as specified here.
Nah, that’s letting them off too easy IMHO. It is T-Mobile’s choice to ask for and save my SSN or my DOB. I never asked them to do it. If they think they need that for their dealings, fine, but then they need to ensure it doesn’t get lost because obviously that’s something that cannot be undone. But again, that is entirely their problem. I also don’t really care how negligent they were. If they store my personal information and it gets taken from them, they are responsible. They are the party I have dealings with. If somebody takes something that belongs to me and hands it over to a third party, I’m not going to accept being forced to go after that third party, I’ll go after the party that gave something away that belongs to me. It’s my data, it belongs to me. Perhaps they may borrow it (again if they believe they absolutely need it), but if they lose it, they should be held liable regardless of how well they thought they had secured their systems. Because let’s be real here, whatever they thought, they obviously weren’t secure enough as we now see.
Lawsuits sound like an inefficient and ineffective way of dealing with this issue. Wouldn’t it be better to legislate a duty of care on companies, with large fines (eg percentage of revenue) from the government/regulator in case of failure of that duty?
Clearly you see incompetent tech security people as first up against the wall when the revolution comes.
An interesting thought. Are there examples of that in other areas?
You guys are getting paid?
Lawsuits is one response. Here in Canada we have an election coming. The parties are not talking [at least prominently] about cybersecurity. IMO, it should be amongst the very top issues discussed, and amongst the biggest areas of federal government spending: subsidies for cybersecurity R&D, cyber defense, R&D, diplomacy, etc. Stealing data is very serious. But these actors can also take down entire organizations, including banks and other financial services, where they could do considerable damage.
I fully agree. That’s BTW the way it’s handled in certain European countries. In Switzerland, for example, a Datenschutzbeauftragter can fine a company for data breaches by an amount that’s determined relative to their revenue. I’m pretty sure I recall a similar system in Sweden, (although it’s certainly more centralized than in Switzerland), but it’s been a while since I worked there. Since Germany is usually also very tough when it comes to privacy, I would be interested to hear from German posters here if they perhaps have a similar system in place.
In terms of us here in the US, I note that our regulators are notoriously hesitant to regulate. The former administration was not at all keen on cracking down on businesses for privacy violations. The current administration has so far not enacted or announced anything I would consider new. And TBH I’m not expecting too much either since many of its senior people were already involved in the Obama Admin and even during that time, despite less corporate laissez-faire attitude, there was no strong push to have regulators hound companies for losing sensitive customer data. The reason I asked about suing is because admittedly I’ve pretty much lost faith that our government will introduce effective punitive measures.
The EU has been adjudicating many fines:
And in Australia:
And in the UK:
And there are other significant examples from the US:
I was thinking along the lines of the British Airways case @MMTalker linked to, and some of the other EU fines.
It sounds like Sisyphus to me:
Oh, the good ol’ days of cramming! Force local telephone companies and wireless companies to allow others to add charges to their phone bills without customer approval. What could go wrong?
I didn’t have problems with T-Mobile as much as I did my local phone company which was called BellAtlantic at that time. Every other month, there’d be some charge for Safety service or Astrology or some other service I never requested. BellAtlantic was hamstrung. They had to bill me and forced to turn over any funds to the third party biller.
If I wanted the charge gone, I would have to contact the third party. Of course, that was impossible. Calling the contact number lead to a recording that said the charge was probably authorized by my spouse or child. We
The Attorney General finally stepped in and sued over 100 companies for cramming. Federal regulations then changed the regulations to say if I wanted third party services, I personally would have to tell my phone company before they can charge for the service. That killed the business.
It’s the ease of putting data online and the difficulty in securing it. Imagine securing a house with 100 doors and windows. Oh, and you want people who are authorized to be able to get in, but only into certain rooms and not others.
Target, the most famous case was hacked because the HVAC company they used had access to their HVAC system. The HVAC company was hacked, and then the hackers got into the Target HVAC system, found their way into the third party POS system which wasn’t secure, but that’s okay, it’s an internal only system, and from there stole almost a hundred thousand credit cards with credit card security codes, customer addresses and your purchase history.
If you have 10,000 customer service agents, each with full access into the billing system, all it takes is for one of them to leak their password. Our company instituted 2FA internally and that was a big mess. It was hard for many of our representatives to understand how it works.
Security is hard.
And yet, some companies seem to get it right. I would argue if a company cannot secure my data properly, than it has no business taking and storing it. If they do store it however, and they get hacked, they should feel the full wrath of God come down on them. I’d argue that is what would incentivize them to try harder and get it right. Several existing companies (both large targets and small) demonstrate this can be done, if the problem is taken seriously and sufficient resources allocated. One way to get companies to do that is tough privacy laws (but that requires a government willing to regulate business), the other would be the threat of severe punitive damages brought on by civil suits.
Like you, I also experienced the growing pains of 2FA at my work. There was a lot of resistance and indeed, to this day, it can be a real pain depending on what exactly you’re trying to do, but by now it’s firmly entrenched and there is absolutely zero doubt it will remain.
Indeed. It doesn’t seem to be impossible. I do wonder how the security budgets compare at the companies that get it right versus those that don’t. I’ll bet it’s wildly different.
If indeed that’s the case it would make an even stronger argument for steep fines or punitive damages. If those add to the cost of being negligent it would tip scales in favor of more investments towards security.
I’m not sure why the FCC is investigating, instead of some law enforcement agency, but this incident is clearly not being ignored by government regulators.
T-Mobile released an update on the situation today.
T-Mobile’s CEO has released a statement.
Join the discussion in the TidBITS Discourse forum