T-Mobile 2021 Breach, New Multi-Million Dollar Settlement
July 22, 2022 | 5 minutes read
On July 24, 2022, it was announced that multinational mobile communications company T-Mobile had agreed to settle a class-action lawsuit that had been levied against the corporation in response to a massive data breach that occurred in August of 2021. The lawsuit that was brought against the company claimed that this breach resulted in the personal information of more than 76.6 million people being accessed and disclosed in a manner that was illegal. Subsequently, T-Mobile has agreed to pay a whopping $350 million to settle the claims made by the numerous customers involved in the lawsuit, as well as another $150 million to upgrade the security mechanisms that the company uses to protect the personal information of said customers.
August 2021 data breach
When the data breach that spurred this class-action lawsuit against T-Mobile was initially reported, said reports claimed that the number of people that had been affected was more than 100 million. In response, T-mobile was quoted in a press release as saying “We have not yet determined that there is any personal customer data involved,” T-Mobile said in a release. “We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed.” Despite the claims made by the company, it was later revealed that a wide range of personal data had indeed been compromised during the breach.
To this point, Canadian-American new and lifestyle magazine Vice later reported that the information that had been stolen from T-Mobile customers during the data breach had been posted for sale on an online forum. The hacker who posted this information wanted 6 bitcoin, roughly 7,000 at the time of the breach, in exchange for “a subset of the data containing 30 million social security numbers and driver licenses.” In addition to these forms of personal data, the cybercriminals that hacked T-Mobile’s servers were also able to obtain phone numbers, names, physical addresses, and unique IMEI numbers, among other forms of personal information pertaining to customers.
Repeat offenses
Much like other large companies and corporations that have experienced data breaches in recent years, the breach that was levied against T-Mobile in August 2021 was by no means the first to have occurred. On the contrary, the company has been involved in seven major data breaches in the past 4 years alone, as a host of different hackers and cybercriminals have been able to access the personal information of T-Mobile customers via a wide variety of different methods and means. To illustrate this point further, the Lapsus$ hacking group, comprised of numerous purported cybercriminals that reside within the UK and other nations within Europe, allegedly hacked T-Mobile’s source code in April of 2022.
The breach in question was first exposed by security journalist Brian Krebs, who posted screenshots that displayed alleged members of the Lapsus$ hacking group talking about the information they had obtained illegally from T-Mobile, as well as other major corporations such as Nvidia and Ubisoft, via a private Telegram chat channel. For context, several members of the said hacking group were arrested by the City of London Police in March of 2022 for various other unrelated cyber offenses, including “three counts of unauthorized access to a computer with the intent to impair the reliability of data, one count of fraud by false representation and one count of unauthorized access to a computer with intent to hinder access to data.”
Just as T-Mobile had done when the August 2021 data breach was first reported, the company responded to these recent events by stating that “no customer or government information” had been compromised during the security incident. While it still remains to be seen whether this is true or not, the Lapsus$ hacking group is alleged to have accessed T-Mobile’s internal tools via stolen employee credentials and social engineering methods. If this is proven to be true, it will be the latest incident in what has become a disturbing trend for the global telecommunications company, as they are beginning to develop a reputation for failing to protect the personal information of the millions of customers they serve worldwide.
Data breaches and redaction
While data breaches are an inevitable part of online and internet communication, there has undoubtedly been a rise in coordinated attacks that are geared towards stealing personal information from large-scale companies and small businesses alike in recent years. To this end, even when the amount of data that is stolen is relatively small compared to the data breaches that T-Mobile has experienced in the past 2 years, there are still a multitude of consequences that arise when such events occur. Most notably, companies will invariably be forced to pay large sums of money when they sustain a data breach, be it to settle a class action lawsuit, to rectify the situation in real-time, or to pay a ransom to an alleged hacking and cybercriminal group such as Lapsus$ in an attempt to retrieve the information that has been stolen.
Alternatively, automatic redaction software programs provide businesses of all sizes and scales with an affordable and effective solution to mitigating the negative effects of being involved in a data breach. As a multinational company such as T-Mobile will have the personal information of millions of different people on file at any given time, protecting this data using traditional means is growing increasingly more difficult with each passing year. Likewise, an employee working at a particular T-Mobile store location could instead use an automatic redaction software program to obfuscate any personal data they do not need to access as a part of their daily operations, including phone numbers, physical addresses, social security numbers, and financial account login information, among a host of other forms of data. In doing so, businesses like T-Mobile would be able to greatly curtail the risks of continuously being involved in data breach incidents.
In spite of advancements that have been made with respect to technology in recent years, the approach that hacking groups such as Lapsus$ have taken in regard to cyber criminality in recent years is no different from any other forms of theft or thievery that have occurred throughout the history of the world. When a business has valuable assets it must maintain in order to function properly, said business must take the steps and measures necessary to protect this information at all times. As recent events surrounding T-Mobile have shown, failing to address these cyber security issues has not proven to be effective, and the company continues to lose money and receive bad publicity due to this fact.