As The Wall Street Journal reports, T-Mobile has confirmed that hackers stole the personal data of 54 million people, including birthdates and Social Security numbers. Hackers then tried to sell the information online for between $80,000 and $270,000 in bitcoin. The Federal Communications Commission was reportedly investigating.
As The Washington Post notes, while these types of attacks may lack the headline-grabbing drama of ransomware, the T-Mobile breach shows that the threat from hackers who steal data simply to sell it online remains serious. Brett Callow, a threat analyst at Emisoft, told The Post, “The motivation obviously is money.”
The incident also raises the question of why certain companies seem particularly prone to cyberattacks. Forrester security and risk analyst Allie Mellen told The Post that the breach is at least the fifth in four years for T-Mobile. Mergers and acquisitions, such as T-Mobile’s combination with Sprint last year, can make it harder to align cybersecurity standards, Mellen observed.
There’s an old saying about why bank robbers rob banks: because that’s where the money is. Michael Daniel, president and CEO of the Cyber Threat Alliance, pointed out to The Post that cybercriminals target companies “where there are large pools of customer data available.”
Still, as The Washington Post notes in a separate report, even tens of millions of data breach victims may not be enough to capture public attention in an era when news of cyberattacks have become routine. The T-Mobile breach may wind up as a defining example of what security researchers call “breach fatigue.”
As AdAge reports, customers might “shrug off” the news. Marketing experts and analysts said that while new users might be reluctant to sign up with T-Mobile while the breach is top of mind, existing customers will probably stay put. They might have even expected as much. A Compliance Week headline calls T-Mobile’s hack “the least surprising data breach of 2021.” Nevertheless, according to Bloomberg Law, T-Mobile faces a pair of class action lawsuits alleging violations of the California Consumer Privacy Act.
T-Mobile is working with Mandiant and KPMG to bolster its cybersecurity, reports The Verge. In an interview with The Wall Street Journal, the 21-year-old taking responsibility for the attack called the company’s defenses “awful.”