Repeating the same actions over and over again and expecting a different result is, to some, the definition of “insanity.” The saying holds a certain logic, but by the same token repeated actions can also serve as an opportunity to practice or improve in some way. When it comes to responding to cyber incidents, it’s always interesting to see which way a company chooses to go. Will they follow the path of insanity, or will they learn, adapt, and improve their cybersecurity?
Last year we discussed lessons from the T-Mobile breach. Yet it seems history is repeating. Here we are again, contending with news of the eighth data breach T-Mobile has endured in the last 5 years. There are so many elements surrounding the cyber-plight of this company that we’re forced to visit the topic again. This time around with a bit more focus – and some very serious questions.
First, the reports on this incident from late January 2023 said the data of some 37 million customers was lost. Apparently, hackers exploited an application programming interface (API) on one of the company’s platforms. Further, the hackers first accessed the data in late November 2022 yet could not be stopped (and were probably not detected) until over two months later, sometime in late January.
T-Mobile: A Significant Target
It’s not much of a secret that T-Mobile is a data-rich target. Its existing and legacy customer base includes millions of accounts, with personal billing information, dates of birth, addresses, and other personal identifiable information (PII). On top of that, T-Mobile has exhibited vulnerability through the sheer number of successful attacks inflicted on them, making the company even more of a target.
Will the eighth time be the charm? We can only hope this incident will serve as a turning point for T-Mobile, a time at which they have asked every question and learned all they can learn, to ultimately build the kind of cybersecurity practice that prevents and reduces incidents, and works proactively to minimize the damage incidents cause. Doing so successfully takes a number of steps that anybody on the outside can predict, and begs the following questions:
- Has the company’s board held its C-level executives accountable?
- How much qualified help has the company requested?
- How can the company’s digital operations be running this far in the dark?
- Is the company really ready to make effective decisions about its issues?
- Are the T-Mobile IT organization and IT security organization being truly transparent with their leadership?
And the overarching question: Is the internal T-Mobile IT organization equipped to deal with cyber-threats, or are they better off partnering with experts? We’re not looking to pick on a company when it is down, but for T-Mobile there’s been a lot of time down on the mat.
Making Cybersecurity Decisions (Breaking the Loop)
Cybersecurity is not a one-time project, but a continuous process that requires regular assessments and updates. Unfortunately, many companies view cybersecurity as an afterthought or an expense rather than a critical aspect of their operations. This often leads to a loop of inadequate resources being allocated to cybersecurity, resulting in insufficient protection against threats.
Additionally, many companies do not conduct regular security assessments, or fail to address vulnerabilities identified during the assessments that occur. Among the most common mistakes companies make are not prioritizing cybersecurity and not seeking partnerships to assist in this mission.
Seeking the right outside assistance is a sign of strength, not weakness. It takes leadership to make this decision, but if they are affected by indecision it will eventually bring them back around to the same place – hacked, embarrassed, and an even bigger target than last time. Collaborating with an outside partner to deliver a comprehensive security service is a proactive step towards ensuring the continued success of a business in today’s ever-evolving cybersecurity landscape.
Cyber Impact and Remedies
This time around, T-Mobile’s cybersecurity lessons must be thorough and systemic. They must include the ability to monitor, alert, and react upon their entire digital estate. It’s clear they need an outside perspective and help; what they’ve been doing for the last five years is simply not working. Weeks of unfettered, unauthorized access by an outsider just simply cannot happen again.
Cybersecurity is critical for every company, regardless of size or industry. Companies that make cybersecurity mistakes can put themselves at risk of a cyberattack, which can result in significant financial and reputational damage. It’s essential for companies to prioritize cybersecurity and invest in adequate protection to mitigate the risk of cyberattacks. By doing so, companies can protect their sensitive data and reputations, and ensure the continued success of their business.