American operator 'left the gate open' according to Forrester Research.
This is T-Mobile US' fifth data breach in four years and the worst in terms of data sensitivity. Forrester analyst Allie Mellen commented, “According to the attackers, this was a configuration issue on an access point T-Mobile used for testing.
"The configuration issue made this access point publicly available on the Internet. This was not a sophisticated attack; this was not a zero day.T-Mobile left a gate left wide open for attackers – and attackers just had to find the gate.”
“This is the fifth public data breach of T-Mobile in three or four years, and by far leaks the most sensitive data and exposes the most customers. It seems T-Mobile has not learned from these previous breaches, especially considering they didn’t know about the attack until the attackers posted about it in an online forum.”
What was stolen?
The breach exposed including social security numbers and some PINs of more than 40 million users, T-Mobile has admitted. In the case of prepaid customers, about 7.8 million are affected but no phone numbers, account numbers, PINs, passwords or financial information from the nearly 50 million records and accounts were compromised.
However, about 850,000 T-Mobile prepaid customer names, phone numbers and account PINs were exposed: T-Mobile has reset the PINs. No customers of Metro by T-Mobile, formerly Sprint prepaid, or Boost customers had their names or PINs exposed.
Other stolen information include customers’ first and last names, dates of birth and driver’s licence information for current and former postpaid customers.
Other unspecified information was exposed regarding billing fees of inactive prepaid accounts.
Pushing the onus onto customers
Mellen added, “T-Mobile is offering two free years of identity protection for affected customers, but ultimately this is pushing the responsibility for the safety of the data onto the user. Instead of addressing the security gaps that have plagued T-Mobile for years, they are offering their customers temporary identity protection when breaches happen, as if to say, ‘This is the best we can do'.’”
Will be interesting to see how many customers vote with their feet and what the regulatory response will be to repeat offending by the operator.