T-Mobile has sent notifications to its customers to inform them of a data breach, that has resulted in some of their names, addresses, phone numbers, account numbers, rate plans, features, and billing information, being compromised.
The notification reads:
“An investigation was immediately commenced, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was affected. We immediately reported this matter to federal law enforcement and are actively cooperating in their investigation.”
According to the wireless carrier, no financial information (such as credit card details) or Social Security numbers were affected by this data breach.
The company also says it has no evidence that the exposed information “has been used to commit fraud or otherwise misused,” but has encouraged its users to update the PIN or passcode on their T-Mobile account.
However Ilia Kolochenko, Founder & CEO of web security company ImmuniWeb comments:
“In light of the obscure circumstances and clouded scope of the reported breach, it would be premature to assess the overall damage or speculate about the eventual consequences. For the time being, T-Mobile’s public response seems to be adequately adapted to the nature of the breach, aimed at minimizing damage and protecting potential victims.
“This does not, however, shield T-Mobile from individual lawsuits and class actions from the victims, but will likely minimize any penalties that regulators may impose. The victims will likely have to prove negligence or another relatively complicated legal basis to successfully sue, and most importantly, will have to establish their damages or seek an applicable statute that may quantify compensation.
“This security incident highlights the wide spectrum of critical risks stemming from third-party vendors and suppliers. Worse, such incidents are infrequently discovered given their complexity and lack of visibility. Most organizations merely rely on vendor SAQ and paper questionnaires without ascertaining that security controls are properly put in place. Obviously, this omnipresent practice is largely dictated be economic practicality, however, another solution, that would balance the financial burden and risk mitigation, is urgently required.”
T-Mobile has also revealed that some of the affected individuals, might not receive a notification, either because of outdated contact information or because they are no longer a T-Mobile customer. The company encourages those who believe they might have been affected to contact Customer Care for additional information and assistance.