T-Mobile has admitted that, once again, hackers have accessed its systems. The confirmation of the latest T-Mobile breach comes after some customer data was found for sale on a cybercriminal forum.
The seller is asking for 6 bitcoin (around £203,000) for a 30 million subset of the data. The seller claims to be selling the rest of the data privately.
As yet, T-Mobile has not determined what data is involved, and the company is investigating the data breach to see if sensitive customer information has been put at risk. However, according to the seller, the stolen data includes the social security numbers, phone numbers, names, physical addresses, unique IMEI (International Mobile Equipment Identity) numbers, and driver license numbers for 100 million people.
One sample of the data has been verified as at least partially valid.
A history of data protection failures
This isn’t the first data breach T-Mobile has experienced.
In 2020, the company suffered two customer data security incidents, one of which put its customers’ personal and financial data at risk. T-Mobile also disclosed similar cybersecurity incidents in 2019 and 2018.
That makes this the fifth T-Mobile hack in recent years.
Are you at risk?
We don’t yet know if UK customers are at risk. But, as victims of data breaches often become the target of cybercriminals, if there is any chance that your data could be involved it pays to be safe.
To keep yourself safe after a data breach, Keller Lenkner UK has provided some helpful tips.
T-Mobile is not alone
Big organisations are repeatedly failing their customers when it comes to data protection.
In 2018, a data breach put 339 million Marriott International customers at risk. In response, the ICO fined the US hotel group £18.4 million. However, in 2020, Marriott suffered another data breach. Even in the face of a huge fine from the ICO, Marriot still had issues with its data protection responsibilities.
Despite two data breaches in 2018, (and an eventual £20 million fine), just a year later a vulnerability with British Airway’s check-in procedures, once again, exposed passenger information.
And the list goes on.
In 2017, a Dixons (Carphone Warehouse) data breach resulted in 10 million customer records being accessed from Currys PC World and Dixons Travel stores.
But Carphone Warehouse, which merged with Dixons, was previously fined £400,000 following another cyber-attack. At that time, the huge fine was one of the biggest ever handed out by the ICO (The ICO now has the power to issue much higher penalties).
Organisations are not taking data protection seriously enough
Commenting on the issue of multiple data breaches, head of data breach at Keller Lenkner UK, Kingsley Hayes said:
“An increasing number of companies are experiencing multiple security breaches. And, where there is a pattern of breaches – as in the case of T-Mobile – there are likely to be significant data security issues at play. Cybercriminals are smart, and they understand and exploit this.
“With so many big organisations experiencing multiple security incidents, at best, we could argue that big companies are not learning effectively from their security mistakes. Others might say they just do not care.
“In many cases, organisations are lucky that they have not suffered more data attacks, as when you adopt a reactive “break-fix” approach rather than a proactive security-first approach, it’s only a matter of time before something else goes wrong”.
Your data rights are important
Your data has value and organisations are legally obliged to look after it. Something must be done to make companies accountable for their data protection failures.
In many cases, acting against these organisations is the only way to make them improve their security processes.
At Keller Lenkner UK, our expert data breach lawyers help people to claim compensation for data privacy violations. It is a job we take very seriously. Not least because we understand the huge impact (which can often be traumatic) a data breach can have on an individual.
We will be investigating the latest T-Mobile data breach to establish if affects customers in England & Wales. If it does, we will likely launch a group action to help these customers claim compensation.