Over the past week, T-Mobile confirmed that it was the subject of a massive data breach that exposed the personal information of at least 50 million people. That information includes first and last names, birth dates, Social Security numbers, and driver’s license information. That’s pretty much the worst-case scenario, and the only reason we found out is that the company responded to a report from Vice’s Motherboard.
The information belongs mostly to individuals who applied for accounts with T-Mobile and provided the information for the purposes of a credit check. That means that even people who aren’t actually customers are likely affected if they ever tried to open an account.
The company’s response has been, well, disappointing. For example, I’m a T-Mobile customer, and I’ve yet to receive a single communication from the company about the breach. Does that mean my information is safe? It’s hard to know.
T-Mobile is talking to news outlets, however, and wants to make it very clear that “no financial information or credit or debit card information” was compromised. That’s not particularly reassuring if someone has all of the other information they would need to simply open a credit card in your name.
Even worse, this gives SIM-swapping hackers a huge gift. If you’re not familiar with SIM-swapping, it’s where someone is able to convince a phone carrier that they are someone else, and have that person’s phone number switched to their control.
That may seem like a strange hack until you realize that most of the things we’d rather keep a hacker out of are protected with two-factor authentication (2FA), which, in most cases, involves sending a text message to your mobile phone. That means that if a hacker has access to your phone number, they have access to a lot of your information, including–in many cases–your online banking accounts.
That’s all bad, but let’s go back to the part where T-Mobile isn’t doing all that much to notify customers yet. Because, if you’ve put the personal information of more than 50 million people at risk, your first job is to help them protect themselves.
T-Mobile did publish a blog post with information for affected customers, but has not–as far as I can find–reached out to customers directly aside from a text message that said:
T-Mobile has determined that unauthorized access to some of your information, or others on your account, has occurred, like name, address, phone number and DOB. Importantly, we have NO information that indicates your SSN, personal financial or payment information, credit/debit card information, account numbers, or account passwords were accessed. We take the protection of our customers seriously. Learn more about practices that keep your account secure and general recommendations for protecting yourself: t-mo.co/Protect
The problem is, that message feels like a gross understatement of what has actually happened. Just because you have “no information” that a specific customer’s SSN has been compromised, in this case, it’s probably a best practice to assume it was and act accordingly. Also, not all T-Mobile customers received a text notification, leading them to wonder whether they have been affected or not.
In fact, I think you can argue that T-Mobile’s response manages to do something that seems almost unthinkable–it makes the company look worse than the hacker that took the information in the first place. That’s because people who hack into company systems and steal information are criminals. We know that, and we expect them to do bad things.
As for the companies we give our information to, we expect them to protect that data. That’s not unreasonable. Also not unreasonable is an expectation that if someone steals our information, those companies should be upfront and transparent about what happened, what they are doing about it, and what steps we need to take. If you can’t protect our information, at least tell us what we need to do to protect ourselves.
T-Mobile’s blog post says all the right words. For example, it explains that the company is “relentlessly focused on taking care of our customers–that has not changed. We’ve been working around the clock to address this event and continue protecting you, which includes taking immediate steps to protect all individuals who may be at risk.”
Except, if you’re relentlessly focused on taking care of your customers, communication is pretty important. That’s true all the time, but especially when their personal information is at risk.
If you’d like to protect your personal information, start by logging in to your T-Mobile account and change your password to something secure. Even if user names and passwords weren’t stolen, T-Mobile allows users to access their accounts with their phone numbers. If a hacker has your phone number, I’ve already explained why that’s bad news.
Then, put a freeze on your credit reports. All three of the major credit bureaus allow you to place a lock on your reports so that if someone attempts to open credit in your name, they will be blocked and you will be notified. T-Mobile also says it is giving its users two years of identity protection from McAfee, which serves a similar purpose.
Finally, T-Mobile does have an “Account Takeover Protection” service that you can add to your account for free. It prevents someone from transferring your phone number to another carrier without your authorization.
The good news is, those steps aren’t that hard. It’s just hard to believe T-Mobile hasn’t proactively contacted its users with the same information. When you fail to communicate effectively, you send a message that you just don’t care about your customers. That’s the one thing you should never do.