In a disconcerting deja vu, T-Mobile has been hit with yet another data breach, marking the second time in a year that the telecom giant has failed to protect the sensitive information of its users. The first data breach, which occurred in January 2023, affected a staggering 37 million individuals. This time, the breach was limited to only 836 people, but the implications remain just as alarming.
The data breach took place between February 24 and March 30. According to T-Mobile, the cause of the data breach was the actions of hackers from outside the company who managed to infiltrate its information system and gain access to customers' personal information.
T-Mobile recognizes that the data breach involves enough personal information that the data subjects could be victims of identity theft. The company was therefore obliged, given the risk of serious harm, to directly inform the data subjects of the data breach.
Indeed, the risk of serious harm is assessed according to the sensitivity of the personal information that has been disclosed or the amount of personal information that has been disclosed. Here is the list identified by T-Mobile, which may differ depending on the data subjects:
Here, when looking at the personal information, we immediately see the presence of sensitive personal information including social security number and ID card. This kind of sensitive personal information, in the hands of ill-intentioned people, can be used to open credit accounts, credit cards, loans or lines of credit, or to make fraudulent online purchases, and this can put the data subjects in debt and compromise their credit rating. It's also hard to ignore the fact that recovering a stolen identity can be time consuming and tedious, requiring hours of paperwork, phone calls and emails. This can result in lost time and productivity for those involved, as well as emotional stress and a sense of loss of privacy and reputation.
1. Before any data breach, have a privacy incident management policy. This policy will allow you to act in the most efficient way. Notifications to the Data Supervisory Authorities must generally be sent within 72 hours after the incident has been reported. It is therefore necessary to be efficient and quick and to ensure good communication within your company to contact the DPO or it’s equivalent as soon as possible.
2. Identify the scope of the data breach. It is imperative to identify as quickly as possible the personal information affected by the breach and also to have a general idea of the scope of the incident. It is necessary to identify whether the incident may cause serious harm to the data subjects. If this is the case, then it is mandatory to notify the right supervisory authority. At the same time, this will also help to delineate the incident and identify the different territories affected by the incident. This step is essential in order to identify the different Data Supervisory Authorities, which must be notified of the privacy incident if the incident concerns data subjects in different territories.
3. Report the privacy incident to the supervisory authority(ies) and, if required, to the data subjects. The reporting procedures and deadlines may differ depending on the applicable legislation.
In general, Data Supervisory Authorities request the following information:
4. Create and maintain a data breach register.
Every data breach must be documented in a data breach register. This register must be kept up to date and communicated to the supervisory authority upon request.
This register must contain:
If you're concerned about your personal information being compromised in T-Mobile's recent privacy incidents, don't hesitate to act. Protecting your privacy and securing your data is crucial, and Hitachi Systems Security is here to help.
Our team of experts specializes in privacy and cybersecurity solutions for businesses and individuals alike. Contact us today to learn how we can help you mitigate risks, protect your data, and ensure your privacy is always a top priority.