T-Mobile Faces Another Privacy Breach, Our Experts Weigh In

In a disconcerting deja vu, T-Mobile has been hit with yet another data breach, marking the second time in a year that the telecom giant has failed to protect the sensitive information of its users. The first data breach, which occurred in January 2023, affected a staggering 37 million individuals. This time, the breach was limited to only 836 people, but the implications remain just as alarming.

The data breach took place between February 24 and March 30. According to T-Mobile, the cause of the data breach was the actions of hackers from outside the company who managed to infiltrate its information system and gain access to customers' personal information. 

T-Mobile recognizes that the data breach involves enough personal information that the data subjects could be victims of identity theft. The company was therefore obliged, given the risk of serious harm, to directly inform the data subjects of the data breach.

Indeed, the risk of serious harm is assessed according to the sensitivity of the personal information that has been disclosed or the amount of personal information that has been disclosed. Here is the list identified by T-Mobile, which may differ depending on the data subjects:

• First and last name,
• Contact information,
• Account number and associated phone numbers,
• T-Mobile account PIN,
• Social Security Number,
• ID card,
• Date of Birth,
• Balance due,

Here, when looking at the personal information, we immediately see the presence of sensitive personal information including social security number and ID card. This kind of sensitive personal information, in the hands of ill-intentioned people, can be used to open credit accounts, credit cards, loans or lines of credit, or to make fraudulent online purchases, and this can put the data subjects in debt and compromise their credit rating. It's also hard to ignore the fact that recovering a stolen identity can be time consuming and tedious, requiring hours of paperwork, phone calls and emails. This can result in lost time and productivity for those involved, as well as emotional stress and a sense of loss of privacy and reputation.

So what actions should you take if your company is facing a data breach:

1. Before any data breach, have a privacy incident management policy. This policy will allow you to act in the most efficient way. Notifications to the Data Supervisory Authorities must generally be sent within 72 hours after the incident has been reported. It is therefore necessary to be efficient and quick and to ensure good communication within your company to contact the DPO or it’s equivalent as soon as possible.

2. Identify the scope of the data breach. It is imperative to identify as quickly as possible the personal information affected by the breach and also to have a general idea of the scope of the incident. It is necessary to identify whether the incident may cause serious harm to the data subjects. If this is the case, then it is mandatory to notify the right supervisory authority. At the same time, this will also help to delineate the incident and identify the different territories affected by the incident. This step is essential in order to identify the different Data Supervisory Authorities, which must be notified of the privacy incident if the incident concerns data subjects in different territories.

3. Report the privacy incident to the supervisory authority(ies) and, if required, to the data subjects. The reporting procedures and deadlines may differ depending on the applicable legislation.

In general, Data Supervisory Authorities request the following information: 

• description of the breach;
• the date, time and place of the breach;
• the persons concerned and the third parties affected;
• the type and amount of personal data involved and the device affected;
• an assessment of the risks to the data subjects;
• notification to the data subjects and third parties (if necessary);
• the security measures currently in place; and
• measures taken to mitigate the consequences of the breach.

For data breach notification to the data subjects, the requirements are generally as follows:

• the context of the incident and when it occurred, and a description of the nature of the personal information affected or potentially affected, without disclosing specific personal information;
• a brief description of the steps taken to mitigate or prevent any harm, as well as a list of organizations that have been notified of the situation (police department, banks, etc.)
• the actions taken by organizations and companies to assist the data subjects, such as help and information services, credit alert subscriptions, etc;
• measures that the data subjects can take to reduce the risk of harm or to better protect themselves;
• Other general information to help the data subjects to protect themselves from identity theft;
• contact information for a person (usually the DPO or its equivalent) within the organization who can answer questions and be contacted; and
• the main steps that will be taken to prevent the breach from happening again (change of practice or process, staff training, policy revision or development, audit, periodic monitoring, etc.)

4. Create and maintain a data breach register.  

Every data breach must be documented in a data breach register. This register must be kept up to date and communicated to the supervisory authority upon request.   

This register must contain:   

• A description of the personal information involved in the breach or, if this information is not known, the reason for not being able to provide such a description;   
• A brief description of the circumstances of the breach;   
• The date or time period when the breach occurred or, if not known, an approximation of that time period;   
• The date or period when the organization became aware of the breach;   
• The number of data subjects involved in the breach or, if not known, an approximation of that number; 
   
• A description of the factors that lead the organization to conclude that there is or is not a risk of serious harm to the data subjects, such as the sensitivity of the personal information involved, the potential for misuse of the information, the perceived consequences of its use, and the likelihood that it will be used for harmful purposes;   
• If the incident poses a risk of serious harm, the dates on which notice was given to the Data Supervisory Authority and to the data subjects, and whether and why public notice was given by the organization;   
• A brief description of the steps taken by the organization, following the occurrence of the incident, to reduce the risk of harm.

If you're concerned about your personal information being compromised in T-Mobile's recent privacy incidents, don't hesitate to act. Protecting your privacy and securing your data is crucial, and Hitachi Systems Security is here to help.

Our team of experts specializes in privacy and cybersecurity solutions for businesses and individuals alike. Contact us today to learn how we can help you mitigate risks, protect your data, and ensure your privacy is always a top priority.