Hackers Claim To Have Breached T-Mobile More Than 100 Times Last Year
Back in January, we noted that T-Mobile had recently revealed it had been hacked eight times over the last five years. But a new report by security expert Brian Krebs suggests it could be far worse than that. According to Krebs, hackers are making a compelling case that they've managed to compromise the wireless giant's network and internal systems 100 times in just 2022 alone:
Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user's text messages and phone calls to another device.
T-Mobile's problems have been twofold. One, the company has been repeatedly busted for over-collecting and selling sensitive U.S. consumer location data. Two, the company has repeatedly failed to stop SIM hijackers from porting user identities out from under their feet (often with T-Mobile employee help), then robbing them blind:
Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone's phone number often can let cybercriminals hijack the target's entire digital life in short order - including access to any financial, email and social media accounts tied to that phone number.
The wild thing is none of this is really new. T-Mobile has been fined numerous times for these behaviors, but like most U.S. regulatory fines, they're a tiny fraction of the money made (or saved) from over-collecting and monetizing user data or cutting corners on security practices. It's a modest cost of business that's quickly factored in... and promptly ignored.
T-Mobile routinely proclaims that it's dedicated to learning from its failures, but it continues to not only fight the belated, modest wrist slap fines from agencies like the FCC, but it keeps expanding the scope of the data it collects (see its recently unveiled App Insights" program"). You also have to wonder how much energy spent on a merger nobody wanted could have gone toward shoring up security.
It's another example of how the regulatory oversight and penalty structure we have in place to protect consumer privacy" is utterly feckless. We desperately need a competently crafted privacy law for the internet era that imposes meaningful penalties for companies (and executives personally) that repeatedly fail to protect consumer data. And regulators with the staff, money, and competence to consistently enforce them.
But we don't do that because very few people in meaningful positions of power genuinely want to upset the very profitable data monetization apple cart. Even if not doing so repeatedly results in widespread market, consumer, and reputational harm. Until we erect meaningful penalties for being security imbeciles, these kinds of scandals are only going to get worse until they culminate in the kind of scandal it will be impossible for those in power to ignore.