To be honest, my name, billing address, email, and phone number have been compromised so many times by so many companies by now that I just don’t care any more. I’m about to do my once-a-decade phone number switch anyway. As long as my password/hash and payment info wasn’t compromised, that’s the main thing I care about.
I don't disagree that this is sensitive, but isn't it wild to think that only 15 years ago, Yellow Pages was sending directories of name, address, and phone number of everyone in your area.
Calling T-mobile’s security “ludicrous” would be a compliment. For a company with their resources, especially after multi-billion $ injection from ATT’s failed merger, they are so bad at it, it’s inconceivable. I don’t know who they’re hiring or contracting with to secure their systems and design their protocols, but they are garbage.
Never used T-Mobile, yet the last T-Mobile breach, I received a postcard from them offering me credit security services because they leaked my information. Turns out that data was from the early 2000's when cell phone store employee checked to see what services I can apply for... WTF!
Over the last 24 months, I have seen some weird increasing rate of vulnerable API endpoints in my own research. One of which would allow a bad actor direct access to over $2BB in funds (from a major organization worth more than $10BB), another plain-text credit card numbers and billing addresses (same application as the first); another were more plain-text credit card numbers (much smaller org, but still sizable). Both attacks were alarmingly non-trivial and would be scored as critical.
Why this trend is seemingly increasing, I don't know.
> "Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network"
Why do companies always try to sugarcoat things? Its analogous to doctor gives us bad news but shows us the silver-lining. I guess these are more of the PR side of things.
The target for the communication is investors. I read it to say "Price in the costs for a garden variety data breach, but not a CPRA-specific class action."
>The company said it identified malicious activity on Jan. 5 and contained it within a day, adding that no sensitive data such as financial information was compromised.
> However, some basic customer information was obtained, such as name, billing address, email and phone number, T-Mobile said.
Is this not sensitive information? That all qualifies as PII.
Plus, another article [0] goes on to add "dates of birth, T-Mobile account numbers and information describing the kind of service they have" which gets me wondering about social engineering against CSRs, leading to a wave of SIM hijacking and the like.
It is all PII. At the same time, all of this is often readily available for free from local government websites — this data and more are present for anyone who registers to vote in Seattle (maybe King County?), in a downloadable spreadsheet.
I hate that this information is out there. For most of us it’s one in a series of unwanted disclosures. I care and disapprove on principle but I don’t think I’m compromised any more than I already am.
In these breaches there always seem to be two tiers of data, sensitive data that remains secure and less sensitive data that is leaked. This shows to me that companies are capable of securing sensitive data in most cases, and don't care as much about less sensitive data (even if it is PII). Maybe all data should be encrypted at rest, in transit, etc. and not just passwords, socials, and credit card numbers.
In the UK (arising from GDPR so I would assume EU as well), sensitive personal data is an enhanced category of PII which requires more considered handling.
This would include things like race, health conditions, disabilities, sexual orientation, political views - basically things that you wouldn't expect T-Mobile to be storing.
"adding that no sensitive data such as financial information was compromised"
"some basic customer information was obtained, such as name, billing address"
Yeah THIS is why I vehemently disagree with KYC laws, especially those requiring a street address. I shouldn't have to tell someone where I sleep to use their business.
Breaches like this enable stalkers, thieves, domestic violence, lots of bad things.
Or even better; by federal law, cancel all bonuses, stock buyback and dividend for 3 years, for any company that leaked data about any person, anywhere in the world trough a data breach. And fine them accordingly, so the saved money don't just pile up for a late pack-back 3 years later.
I was a happy customer of T-Mobile for around 10 years. Until I moved out into the county and was forced to switch. It seems like temblor has gone down hill since acquiring sprint. But this isn't the first time something like this has happened at T-Mobile. Seems as if they have a 2-3 year cadence of data incidents.
It starts to look like these are not breaches but instead could be sales of customer account info by insiders that are then reported as breaches by external bad actors.
This is far too regular an occurrence for T-Mobile. I have never been a customer of theirs and so far as I know my info has never leaked from my cell provider. Unfortunately I was caught up in more than one other major data breach over the last 10 years so it is all out there but still, when one company has this many similar breaches it starts to look like planned events.
This. I was a TMo customer from when they were Voicestream until about five years ago, then again 3 years ago. Had to switch to VZW so the college kids got signal. This is what, the third or fourth time they've had a data breach? We will not be going back. Ever.
My 89-year-old mother uses a T-mobile prepaid plan on her flip phone. A text message that addresses her by name might fool her into getting phished. Plenty of “personal information״ has leaked.
[+] [-] gundamdoubleO|3 years ago|reply
> "some basic customer information was obtained, such as name, billing address, email and phone number"
Yup definitely no sensitive data there
[+] [-] SkyMarshal|3 years ago|reply
[+] [-] reustle|3 years ago|reply
[+] [-] bmarquez|3 years ago|reply
Already had to freeze my credit reports because of last time, this new breach is ridiculous.
[+] [-] SkyMarshal|3 years ago|reply
[+] [-] JiNCMG|3 years ago|reply
[+] [-] joshmn|3 years ago|reply
Over the last 24 months, I have seen some weird increasing rate of vulnerable API endpoints in my own research. One of which would allow a bad actor direct access to over $2BB in funds (from a major organization worth more than $10BB), another plain-text credit card numbers and billing addresses (same application as the first); another were more plain-text credit card numbers (much smaller org, but still sizable). Both attacks were alarmingly non-trivial and would be scored as critical.
Why this trend is seemingly increasing, I don't know.
[+] [-] SentientAtom|3 years ago|reply
[+] [-] rvz|3 years ago|reply
> However, some basic customer information was obtained, such as name, billing address, email and phone number, T-Mobile said.
This isn't even the first time they got breached and yet it has happened again. They have not learned anything.
I think it is time that we stop using phone numbers as a login mechanism. It has always been a completely stupid idea from the beginning of its use.
Let the SIM swapping attacks and identity theft games begin.
[+] [-] redtriumph|3 years ago|reply
Why do companies always try to sugarcoat things? Its analogous to doctor gives us bad news but shows us the silver-lining. I guess these are more of the PR side of things.
[+] [-] zonethundery|3 years ago|reply
[+] [-] encryptluks2|3 years ago|reply
[+] [-] lynx23|3 years ago|reply
[+] [-] Entinel|3 years ago|reply
> However, some basic customer information was obtained, such as name, billing address, email and phone number, T-Mobile said.
Is this not sensitive information? That all qualifies as PII.
[+] [-] hunter2_|3 years ago|reply
[0] https://www.cnn.com/2023/01/19/tech/tmobile-hack/index.html
[+] [-] orhmeh09|3 years ago|reply
I hate that this information is out there. For most of us it’s one in a series of unwanted disclosures. I care and disapprove on principle but I don’t think I’m compromised any more than I already am.
[+] [-] jackcosgrove|3 years ago|reply
[+] [-] baxtr|3 years ago|reply
Also, this type of PII got leaked very often by now.
[+] [-] sedatk|3 years ago|reply
Not after T-Mobile breach.
[+] [-] alexriddle|3 years ago|reply
This would include things like race, health conditions, disabilities, sexual orientation, political views - basically things that you wouldn't expect T-Mobile to be storing.
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] arkadiyt|3 years ago|reply
https://www.sec.gov/Archives/edgar/data/1283699/000119312523...
[+] [-] stygiansonic|3 years ago|reply
[+] [-] dheera|3 years ago|reply
"some basic customer information was obtained, such as name, billing address"
Yeah THIS is why I vehemently disagree with KYC laws, especially those requiring a street address. I shouldn't have to tell someone where I sleep to use their business.
Breaches like this enable stalkers, thieves, domestic violence, lots of bad things.
[+] [-] finickydesert|3 years ago|reply
[+] [-] jgaa|3 years ago|reply
That should fix the problem.
[+] [-] factsarelolz|3 years ago|reply
[+] [-] doodlebugging|3 years ago|reply
This is far too regular an occurrence for T-Mobile. I have never been a customer of theirs and so far as I know my info has never leaked from my cell provider. Unfortunately I was caught up in more than one other major data breach over the last 10 years so it is all out there but still, when one company has this many similar breaches it starts to look like planned events.
[+] [-] smm11|3 years ago|reply
[+] [-] unknown|3 years ago|reply
[deleted]
[+] [-] fortran77|3 years ago|reply
[+] [-] SoftTalker|3 years ago|reply
I don't trust any message from anyone not in my address book. Even then, sender can be spoofed, but it's less likely.
[+] [-] JohnTHaller|3 years ago|reply
[+] [-] rayrey|3 years ago|reply
[+] [-] shawn-butler|3 years ago|reply
Credit monitoring always seemed to me like a scam ala antivirus, but in all fairness I have never purchased it either.
[+] [-] jpease|3 years ago|reply
Most of that used to be published in print and sent out to everyone. Do they still make phoneboks?
[+] [-] knodi|3 years ago|reply
[+] [-] encryptluks2|3 years ago|reply
[+] [-] LinuxBender|3 years ago|reply