- The latest in a long list of breached companies, last week T-Mobile's cybersecurity team discovered "unauthorized access to certain information." T-Mobile reported 3% of its 77 million customers — about 2.31 million customers — were impacted, the company told CIO Dive in a statement.
- Affected customers had names, billing zip codes, phone numbers and email addresses exposed, in addition to some account numbers, according to the announcement. The company said no financial data was compromised.
- T-Mobile publicly announced the incident Thursday, just days after the breach was identified. "This was quickly discovered and shut down. There's no ongoing risk," according to T-Mobile.
No matter what security controls are in place, some incidents are difficult to prevent. If companies assume security incidents are inevitable, quick work to remediate impact can help save a company's reputation and maintain customer loyalty. Operating under the assumption of when, not if, a company will suffer a data breach ensures corporate stakeholders always have a response strategy.
This is not T-Mobile's first rodeo with a data breach. In September 2015, the company's vendor Experian discovered an "unauthorized party" accessed T-Mobile data housed on its server. The 2015 breach was ongoing, impacting customers from Sept. 2013 through Sept. 2015.
Far more severe than the latest incident, the 2015 data breach exposed sensitive personal customer information, including names, addresses, Social Security numbers and identification numbers, which included driver's license numbers, military IDs or passport numbers.
Security shortcomings have becomes so routine it is difficult to remain clued into the seriousness of the incident. Data breaches are merely stacked up against one another for experts to muse which is worse and how many more people are impacted.
"People are too jaded, frankly," said Avivah Litan, VP and distinguished analyst at Gartner, in an interview with CIO Dive. "These breaches are very serious if even it's not [personally identifiable information] data" exposed.
Unless 150 million records are compromised, "we don't get upset about it," said Litan.
Companies are also quick to hide behind security audits and controls. But just because companies are compliant doesn't necessarily mean they are secure, according to Litan. "We can't expect audits to catch everything and we hide behind audit safety."