Lessons learned from the hack that cost T-Mobile $500m

Following a high profile 2021 hack, which made the data of 76.6 million US citizens vulnerable, T-Mobile will pay $350 million as compensation to those affected. An additional $150m will go towards enhanced cybersecurity measures.


“Keeping our customers’ data safe is a responsibility we take incredibly seriously and preventing this type of event from happening has always been a top priority of ours,” said T-Mobile CEO Mike Sievert said in 2021 after the 4th serious data breach in 5 years, which affected not just current and previous customers but also people who have never been customers at all.


So how did it happen? The hacker who claimed responsibility in a Wall Street Journal interview used an unprotected router to access T-Mobile’s network and millions of customer records in the mobile carrier’s latest breach and said that T-Mobile’s security was “awful”.

The hacker gained access to a data centre, where he was able to explore more than 100 of the company's servers. The hacker remained undetected for around a week and during which time he copied and extracted the records of over 76 million people.


In addition to names and phone numbers, the stolen material also included more private information including social security numbers, information from driver's licences, and unique mobile device IDs (IMEI numbers.) The data was being sold in part online for six bitcoin.


As a result, T-Mobile was accused of having lax cybersecurity policies, not protecting its consumers, and not informing the authorities of the incident. $350 million of the proposed settlement will be given to legal fees, court costs, and victims who made claims. Data security will cost an added $150 million.


There are many questions still to be answered. Why was data privacy not being taken seriously despite it being part of a company’s corporate social responsibility obligations? How can a hacker remain inside a network for a week, when cyber-monitoring is available for every company?


It is also important to understand the value of data. Data assets are becoming the basis for the overall worth and expansion of contemporary organisations. However, a lot of businesses do not understand the worth of their current data assets or the underlying factors that can boost data value. Companies like T-Mobile that do not value their data asset and follow through with a robust strategy to manage and protect it, put their reputation and market value at risk.


Hackers on the other hand understand the value of data very well. Hackers and other cyber criminals frequenting hacker forums know that stolen personal data can be reused repeatedly, for identity fraud, and as the building blocks to vishing, business email compromises, impersonation attacks, and social engineering attacks. These attacks are worth billions: a conservative estimate of future attacks is predicted to cost business across the globe between $2 and $3 billion over the next 2 years.


The society we live in now is dominated and defined by information technology, and data responsibility raises increasingly ethical and commercial issues. It is undeniable that improving data security results in competitive benefits, particularly in global markets. Organisations also have a responsibility to protect the privacy and security of their customers.


The question is: do you want to be like T-Mobile or do you want to reap the rewards that comprehensive and robust data security can offer you?


Find out more about Crossword’s cyber threat monitoring, breached credentials alert platform and cybersecurity consulting services.