T-Mobile has revealed that it suffered a second customer data breach in 2020. According to T-Mobile:
“Our Cybersecurity team recently discovered and shut down malicious, unauthorized access to some information related to your T-Mobile account. We immediately started an investigation, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was involved”.
On this occasion, we understand that customers in the UK are not affected by the T-Mobile data breach.
The breach is the second customer data security incident to have occurred at T-Mobile in 2020. In March, the company disclosed another breach putting its customers’ personal and financial data at risk. Names, phone numbers, account details and addresses of pre-paid customers were all exposed in the earlier data breach. And, if that was not bad enough, T-Mobile also disclosed similar cybersecurity incidents in 2019 and 2018. So, the company experienced four data breaches in just three years.
T-Mobile is not alone
Unfortunately, big organisations are repeatedly failing their customers when it comes to looking after their data. For example, in 2018 a huge data breach put 339 million Marriott International customers at risk. The Information Commissioner’s Office (ICO) fined the US hotel group £18.4 million in response. However, in 2020, Marriott suffered another data breach. It seems that, even in the face of a massive fine from the ICO, Marriot still had issues concerning its data protection responsibilities.
Likewise, despite two data breaches in 2018, (and an eventual £20 million fine), just a year later a vulnerability with British Airway’s check-in procedures, once again, exposed passenger information.
And the list goes on.
In 2017, a Dixons (Carphone Warehouse) data breach resulted in 10 million customer records being accessed from Currys PC World and Dixons Travel stores. However, that breach was not the first time the company had failed to protect its customers’ data. Carphone Warehouse, which merged with Dixons, was previously fined £400,000 following another cyber-attack. At that time, the huge fine was one of the biggest ever handed out by the ICO (under new data protection regulations the ICO has the power to issue much higher penalties).
Are organisations taking data protection seriously enough?
Commenting on the issue of repeat data protection failures, head of data breach at Keller Lenkner UK, Kingsley Hayes said:
“An increasing number of companies are experiencing multiple security breaches. And, where there is a pattern of violations, there are likely to be significant security issues at play. Cybercriminals are smart, and they understand this and are ready and able to exploit such vulnerabilities.
“Fraudsters have come to understand the value of data and recognise that they can use personal information to commit theft and other crimes. However, while hackers know the importance of data, companies either do not or are not prepared enough. Indeed, with so many big organisations experiencing multiple security incidents, at best we could argue that big companies are not learning effectively from their security mistakes. Others might say they do not care.
“The truth is, in many cases, organisations are lucky that they have not suffered more data attacks. Because, when you adopt a reactive “break-fix” approach rather than a proactive security-first approach, it’s only a matter of time before something else goes wrong”.
Your data rights are important
Just because some large organisations are not prioritising data security, this does not mean you should not. At Keller Lenkner UK, our expert data breach lawyers help people to claim compensation for data privacy violations. It is a job we take very seriously. Not least because we understand the considerable impact (which can often be traumatic), a data breach can have on an individual.
Cybercrime can result in financial and/or identity theft. And even if you do not lose out financially after a data breach, this does not mean that you will escape unscathed. Many people suffer psychologically after a privacy violation, with new symptoms developing and existing ones being made worse.
Your data has value and organisations are legally obliged to look after it. Something must be done to make companies accountable for their data protection failures. And, in many cases, acting against these organisations is the only way to make them improve their security processes.