T-Mobile customers are due to get two years of free identity theft protection after a crippling cyberattack stole data on many millions of users.
Matt Novak reports at Gizmodo on the hack, which targeted specific information on an estimated 49 million users, including sensitive data like Social Security and driver’s license numbers.
The overall number of victims, which includes around 850,000 prepaid customers, is under debate, as T-Mobile claims the number is close to 49 million, but the hackers themselves claim to have taken information from twice that, around 100 million users.
The attackers are asking for six Bitcoins (USD value around $200,000) in exchange for releasing the information.
Although T-Mobile suggests no sensitive financial information such as bank account numbers was stolen, its offer to provide identity theft protection rings hollow for many customers as coals to Newcastle, since the main objective of companies holding customer data is to prevent breaches in the first place.
“Most companies keep sensitive personal information in their files—names, Social Security numbers, credit card, or other account data—that identifies customers or employees,” write FTC spokespersons on the agency’s web site. “This information often is necessary to fill orders, meet payroll, or perform other necessary business functions. However, if sensitive data falls into the wrong hands, it can lead to fraud, identity theft, or similar harms. Given the cost of a security breach—losing your customers’ trust and perhaps even defending yourself against a lawsuit—safeguarding personal information is just plain good business. Some businesses may have the expertise in-house to implement an appropriate plan. Others may find it helpful to hire a contractor. Regardless of the size—or nature—of your business, the principles in this brochure will go a long way toward helping you keep data secure.”
To this end, the FTC presents a sound data security plan with five critical steps: take stock, scale down, lock it, pitch it, and plan ahead.
Employee training, experts say, is also important:
“The breadth of your employees cybersecurity training should be focused on how to spot a phishing scam via phone, email, and social media as well as how to how to use encryption when sending sensitive data via email,” RSI analysts tell business leaders. “Employees should also understand the importance of creating a secure password and changing their password at least every 30 days. Another area of focus for this training is to be privy to the necessary reporting protocols so that if an employee suspects that their credentials have been stolen they know who and where to turn to for remediation.”
Keep an eye on the struggles of this telecom provider as one more example of the consequences of massive data leaks that are plaguing retailers and other parties in today’s high-tech economy.