On 23 August, Telecom giant T-Mobile confirmed that the company suffered a security breach on its U.S. servers last week. According to company statements, the hack may have resulted in the leak of “some” personal information of up to 2 million T-Mobile customers. The data likely exposed to the attackers included customers’ name, billing zip code, phone number, email address, account number, and account type (prepaid or postpaid). T-Mobile said the company informed law enforcement about the security breach and is reaching out to its affected customers directly via SMS message, letter in the mail, or a phone call to notify them as well.
Despite the size of the breach, there was a bit of good news as well. T-Mobile’s security executives were able to assure customers that no financial information such as credit card numbers, social security numbers, or passwords, were compromised in the security breach.
While it is good T-Mobile can offer this reassurance, the incident of the hack itself is not a particularly good sign. T-Mobile is the country’s third largest carrier in the United States, with over 76 million clients. It is a company that specializes in communications and data. What was it about the network protocols that allowed them to be penetrated?
The truth is, information about how exactly cybercriminals pulled off the breach is sketchy at best. All T-Mobile was able to offer is that the attackers entered their systems through a weak Application Program Interface, or API, used in the companys database, essentially a set of protocols that allows different components of the network to communicate with each other. What the flaws were and the methods taken by the attackers is still unclear.
The T-Mobile incident marks the latest high-profile data breach in a growing trend of hacks targeting large businesses. In June, the British mobile phone retailer Carphone Warehouse was hacked, affecting some 10 million customers. Later that same month, Ticketmaster also suffered a similar breach that affected tens of thousands of its clients. These attacks were later topped off by a breach on the online forum Reddit in early August. What makes many of these breaches surprising is that many of the victims are enterprises that specialize in information technology. This is especially true when it comes to Reddit, a company that has recruited so many information security experts into its ranks. In regards to the most recent incident suffered by T-Mobile, there is even more embarrassment, as the company suffered an insider data compromise two years ago that also exposed personal details of the company’s clientele.
In light of this pattern, there is an obvious question that should be asked: Is there some trend of irresponsible security practices making these hacks inevitable?
If you ask most IT security researchers, the answer is a definite yes.
As a statistical fact, the majority of hacks are the result of weak authentication protocols. With individual users, this usually means weak passwords. In a study done by Verizon, the company discovered that some 80 percent of hacks may be due to this one factor alone.
But when it comes to the businesses, especially major corporations, companies understand that they need to invest a bit more in authentication. After all, valuable information assets plus all of their clients’ personal information is being protected by their security protocols. Any responsible enterprise will go the extra mile and require all employees, from executives to low-level workers, to use some form of enhanced identity protection. Some businesses opt for security tokens. Some incorporate biometrics. There are many options out there, all with their pros and cons. The problem is the trend of companies that don’t seem to take the authentication thing seriously. After the Reddit event a few weeks ago, the world of tech began railing against the company for choosing to employ SMS authentication, a method known as an easy target for a dedicated hacker.
Hopefully what will come out of this series of cyber attacks is a change in business standards and customer expectations from companies. As awareness of the vulnerability of these large corporations increases, the ability for companies to ensure their clients with data security will become an essential part of the service they provide. Eventually this will become a major factor in increasing companies’ competitive edge, as clients will prefer a provider that can offer higher safety standards for their personal data.
