Allowing for possible flaws in safety-centric mindset, professionals express doubts about T-Mobile's security practices amidst recurring data breaches
In a concerning turn of events, T-Mobile, one of the world's largest mobile network operators, has suffered its eighth publicly acknowledged data breach since 2018. The latest incident, which came to light in August 2021, resulted in the theft of data from 37 million customers.
On January 5, 2022, T-Mobile confirmed the data breach, revealing that an external API had access to customers' Personally Identifiable Information (PII). The API exploited by the threat actor remains undisclosed.
The breach occurred 41 days after a Black Friday intrusion went undetected, raising questions about T-Mobile's ability to monitor and manage its systems effectively. Analysts view the repeated security lapses at T-Mobile as a pattern, indicating a misalignment between security investments and outcomes.
Mauricio Sanchez, research director of network security at Dell'Oro Group, described T-Mobile's lack of improvement after multiple hacks as "pretty egregious." Zeus Kerravala, founder and principal analyst at ZK Research, suggested that T-Mobile's lack of urgency around security issues is a cyclical problem, as hackers may continue to focus on the company due to its perceived vulnerability.
Common API security challenges include broken access control, insecure design, security misconfiguration, identity and authentication failures, and logging and monitoring failures, according to the Open Web Application Security Project. Justin Fier, SVP of red team operations at Darktrace, found it alarming that an external API had access to such a large amount of sensitive PII.
Chris Nicoll, senior principal analyst at Nicoll Associates, stated that security is not the primary focus for many companies, but it is for the attackers. Malicious actors are "masterful at hiding their activities," and it's incumbent on T-Mobile to be more diligent at monitoring and managing its systems.
Despite the latest data breach, the setbacks to T-Mobile are expected to be minimal, according to analysts. Corporate stakeholders are seeking to better understand the risk calculus of their technology stacks, with a focus on determining whether they are a potential target.
T-Mobile declined a request for further comment regarding the data breach. However, the company has previously committed to improving its security posture and increasing investments in data privacy after a massive data breach in August 2021.
As the mobile phone becomes the control point of many people's lives, the security of mobile operators like T-Mobile takes on increased importance. T-Mobile customers should be wary, and it's crucial for the company to address these concerns to regain the trust of its users.
