With the dust still settling from the massive data breach of T-Mobile, the Federal Communications Commission (FCC) and Massachusetts Attorney General Maura Healey have initiated investigations concerning the alarming incident.
Healey aims to determine whether the company had proper safeguards in place to protect consumer information and mobile device information. In a statement given to a local television station, the AG specified, “the investigation will focus on Massachusetts law, which requires companies to have safeguards to protect people's privacy.” She also conveyed that companies must make sure to have safeguards in place because if there is a breach, “you will be responsible and you will be held accountable.”
For the government’s side, FCC has been aware of the data breach and is in the process of probing to find out if any monetary penalties must be imposed. "Telecommunications companies have a duty to protect their customers’ information,” said an FCC spokesperson. Analysts said that the commission might likely ask whether T-Mobile followed FCC rules once it discovered the breach. These include notifying authorities, taking necessary precautions leading up to the cyberattack, and meeting the latest industry standards.
In retrospect, this is not the first time T-Mobile experienced data privacy concerns. In 2017, FCC claimed that the telco failed to protect more than 15 million consumers from a third-party contractor collecting data for credit checks. At this time, no compensations were charged. Meanwhile, in 2018, about 2.5 million customers had their data exposed in a network breach that also became part of a federal class-action lawsuit.
Latest data breach synopsis
Gaining access to T-Mobile systems around July 19, 2021, the telecom company only learned that a bad actor has illegally accessed around 50 million of its past, present, and prospective customers on August 17, 2021. Since then, exhaustive efforts were done to assess and handle the situation. They have located and immediately closed the access point that was believed to be the entry point to their servers.
John Binns, a 21-year-old US citizen claiming to be the attacker, has exposed his identity to WSJ and criticized the telecom’s “awful” security. He reportedly found an unprotected, exposed router and from there, Binns managed to break into T-Mobile’s data center outside East Wenatchee, Washington, and accessed more than 100 servers that contained the personal data of millions.
T-Mobile confirmed that the data stolen from their systems did include personal information such as customers’ first and last names, date of birth, SSN, and driver’s license/ID information. Yet, they indicated that no data contained in the stolen files included any customer financial information, credit card information, debit, or other payment information.
Moving forward, Mike Sievert, CEO of T-Mobile affirmed that they would improve their ability to fight back against criminals and protect T-Mobile and their customers. “We know that the bad actors out there will continue to evolve their methods every single day and attacks across nearly every industry are on the rise. However, while cyberattacks are commonplace, that does not mean that we will accept them. T-Mobile is taking significant steps to enhance our approach to cybersecurity.”