The text message arrived Aug. 24 during my morning coffee. “T-Mobile MSG: Hello – We ID’d & shut down an unauthorized capture of your info. No financial info / SSN taken but some personal info may have been.” That was followed by a link to T-Mobile’s security announcement, which basically said the same thing.
While it’s never a good thing to sustain a data breach, the more I looked into the matter, the more I appreciated the warning. The reason for this is because T-Mobile did something that never seems to happen. In short, T-Mobile found the breach, shut it down, and then notified its customers immediately.
T-Mobile has so far been vague about how they caught the hackers, but it’s clear that the company has an effective intrusion detection process. It’s also clear that the company has the ability to kick the intruders out of their system once they’ve been found, which is something else that’s fairly rare.
A spokesperson for T-Mobile told eWEEK that there is no further threat, but did not provide further details in regards to whom the hackers were, or how T-Mobile responded to the breach.
I called T-Mobile’s customer support line to try to learn more about the breach, and was told that the security problem was fixed almost immediately and that the only information that was taken was my name and ZIP code.
T-Mobile’s messages disclosing the breach were soon followed by a flood of emails most of them warning about dire events to come that came from companies offering to remediate the breach, protect my data or otherwise charge money for services I really didn’t need.
That’s because the damage seems minimal and the information taken is essentially public, so there’s no security risk to the customers that are affected.
Unfortunately, the event did point up a couple of things about data breaches that bear remembering. The first is that offers of help, especially those that arrive shortly after the announcement of such a breach, are probably not useful. The ones that appeared in my inbox tended to come from companies that don’t really have much to offer beyond generic advice at high prices.
The second is that it’s possible to have a data breach in which nobody gets hurt and in which everyone handles the situation responsibly. In T-Mobile’s case, the parent corporation, Deutsche Telekom, is based in Europe, and as a result is subject to the data breach requirements of the GDPR.
While about half the states and the federal government have regulations about timely reporting of data breaches to the public or to shareholders, the GDPR requires that the event be reported to authorities within 72 hours, which T-Mobile did in this case.
The GDPR also requires that the subject of a data breach—in this case the customers—be notified “without undue delay.” T-Mobile did that via the text messages it sent out to everyone who was affected, including me.
While it’s not clear whether T-Mobile US is covered under the terms of the GDPR, its parent company certainly is and T-Mobile US is clearly following those rules. The company has also announced that it has fixed the problem that enabled the breach.
What you’re seeing here is a very clear indication of what happens when the GDPR rules of the EU impact on a U.S. mobile service provider. In this case, the result was positive in that the company performed its required actions as it was supposed to.
But it also provides another lesson. T-Mobile has demonstrated that company has the capability to detect a breach, fix it, and notify its affected customers well within the required time. Compare this with the corporate complaints that surfaced after the GDPR took effect about how it was impossible to follow requirements for a rapid response.
Now that you know that a quick response to a data breach is possible, it’s time to think about your organization’s own plans for handling an inevitable breach. Those plans need to include a reliable means of security monitoring, including an intrusion detection system as part of your security suite. And it requires a plan for notifying your customers when a breach occurs, what you did about it and how you plan to keep it from happening again.
The best way to start is to assume that your perimeter can be (and probably has been) breached. Ask yourself what data they would find and how they would find it. If things like customer records are easily seen by an intruder once they get past your defenses, then it’s important that you either move them elsewhere or at least make them inaccessible through hashing or encryption.
Next, ask yourself how an intruder might remove data from your network. Do you have a means to detect large file transfers from unauthorized systems? Hackers frequently stash data somewhere on the internal network until they can exfiltrate it. You can stop that if you know where to look for it.
But what’s most important is to know that you can prevent breaches and you don’t have to listen to excuses saying why they can’t. Excuses won’t prevent a breach, but some positive action, combined with a plan, can keep breaches from damaging your company’s reputation and profitability.