T-Mobile Hacked, Information on 100 Million Users Stolen

Originally published at: T-Mobile Hacked, Information on 100 Million Users Stolen - TidBITS

Another big tech company has been hacked. Again. This time it was T-Mobile, with personal information on 100 million customers stolen.

Absent any reasonable regulator intervention, is there a simple explanation as to why consumers can’t just sue T-Mobile to the tune of something that will actually hurt?

It appears companies (at least here in the US) keep losing people’s sensitive data because they obviously don’t have that much to fear. Making their negligence more painful to them and their shareholders (i.e. hitting their bottom line) could get them to start caring.

I’m sure there could be suits, but class-action suits tend to only benefit the lawyers.

And I’m sure if you read the fine print of your service contract, there will be something that releases them of liability, which will make a lawsuit even more difficult and expensive.

This is all true, but if there are enough complaints, a local government might step in:

New York city recently won a case, and victims were compensated:

But the main purpose would be to hurt businesses to provide an economic incentive to take security seriously.

I’m not a lawyer, but it’s my understanding that one can’t hide behind the terms of a contract to excuse negligence. The problem would be to prove that a company acted negligently. I don’t know if we know enough yet about what happened at T-Mobile to determine that the company wasn’t taking reasonable precautions to guard against a breach.

Unfortunately, it seems that even when a company appears negligent—the Equifax breach comes to mind—all they seem to get is what amounts to a slap on the wrist these days. It’s not surprising that many businesses seem to take a relatively lax attitude toward securing their systems.

All correct. A contract isn’t a get-out-of-jail-free card, but it does raise the bar for any suits.

And unless it’s a very extreme case, the worst that happens from these suits is some bad press. The companies either absorb the penalty or they pass along the costs to their customers.

Yes, the affected victims will get something, but it’s rarely enough to even bother mentioning. Note the link @MMTalker shared. $9.6M was paid out to 164,400 people - each got $58. I would be surprised if that comes even close to the amount of actual damages.

I just got something like $3.26 from some Google+ class action settlement. Trying hard not to spend it all in one place.

Yeah, so obviously, damages are far too low.

What is then preventing a lawsuit (again assuming the Feds don’t finally step in) that really makes a dent? Say $10B (roughly T-Mobile USA’s profits from the last 3 years). That should probably be enough to make a more lasting impression. And of course create an economic incentive not to lose people’s sensitive data again.

Even in the event they pass that on 100% to their customers, that’s still fine. It puts them at a competitive disadvantage compared to their competitors, which again creates a strong incentive not to be idiots again in the future.

If we keep on letting these things happen without any serious repercussions, wouldn’t that make use fools to believe this should ever get better? Or are we just content with the way things are so need to change anything?

One of the questions is what the actual damages to individuals are. With my snarky comment about Google+, I didn’t suffer any damages at all as far as I know, so maybe $3.26 was too much.

The other problem is that it’s hard to prove negligence, especially as systems grow ever more complex and the sophistication of the attackers increases. There’s a real difference between failing to change default admin passwords on consumer-level gear and falling prey to an expert attack that relies on a zero-day.

So yeah, many of us want to nail the idiots to the wall, but it doesn’t feel like there’s an easy way to know when that’s appropriate.

$3.26? I got $2.15 as specified here.

Nah, that’s letting them off too easy IMHO. It is T-Mobile’s choice to ask for and save my SSN or my DOB. I never asked them to do it. If they think they need that for their dealings, fine, but then they need to ensure it doesn’t get lost because obviously that’s something that cannot be undone. But again, that is entirely their problem. I also don’t really care how negligent they were. If they store my personal information and it gets taken from them, they are responsible. They are the party I have dealings with. If somebody takes something that belongs to me and hands it over to a third party, I’m not going to accept being forced to go after that third party, I’ll go after the party that gave something away that belongs to me. It’s my data, it belongs to me. Perhaps they may borrow it (again if they believe they absolutely need it), but if they lose it, they should be held liable regardless of how well they thought they had secured their systems. Because let’s be real here, whatever they thought, they obviously weren’t secure enough as we now see.

Lawsuits sound like an inefficient and ineffective way of dealing with this issue. Wouldn’t it be better to legislate a duty of care on companies, with large fines (eg percentage of revenue) from the government/regulator in case of failure of that duty?

Clearly you see incompetent tech security people as first up against the wall when the revolution comes.

An interesting thought. Are there examples of that in other areas?

You guys are getting paid?

Lawsuits is one response. Here in Canada we have an election coming. The parties are not talking [at least prominently] about cybersecurity. IMO, it should be amongst the very top issues discussed, and amongst the biggest areas of federal government spending: subsidies for cybersecurity R&D, cyber defense, R&D, diplomacy, etc. Stealing data is very serious. But these actors can also take down entire organizations, including banks and other financial services, where they could do considerable damage.

I fully agree. That’s BTW the way it’s handled in certain European countries. In Switzerland, for example, a Datenschutzbeauftragter can fine a company for data breaches by an amount that’s determined relative to their revenue. I’m pretty sure I recall a similar system in Sweden, (although it’s certainly more centralized than in Switzerland), but it’s been a while since I worked there. Since Germany is usually also very tough when it comes to privacy, I would be interested to hear from German posters here if they perhaps have a similar system in place.

In terms of us here in the US, I note that our regulators are notoriously hesitant to regulate. The former administration was not at all keen on cracking down on businesses for privacy violations. The current administration has so far not enacted or announced anything I would consider new. And TBH I’m not expecting too much either since many of its senior people were already involved in the Obama Admin and even during that time, despite less corporate laissez-faire attitude, there was no strong push to have regulators hound companies for losing sensitive customer data. The reason I asked about suing is because admittedly I’ve pretty much lost faith that our government will introduce effective punitive measures.

The EU has been adjudicating many fines:

https://databrackets.com/the-largest-gdpr-violations-and-fines-in-2020/

And in Australia:

And in the UK:

And there are other significant examples from the US:

I was thinking along the lines of the British Airways case @MMTalker linked to, and some of the other EU fines.

It sounds like Sisyphus to me:

image900×764 148 KB

Oh, the good ol’ days of cramming! Force local telephone companies and wireless companies to allow others to add charges to their phone bills without customer approval. What could go wrong?

I didn’t have problems with T-Mobile as much as I did my local phone company which was called BellAtlantic at that time. Every other month, there’d be some charge for Safety service or Astrology or some other service I never requested. BellAtlantic was hamstrung. They had to bill me and forced to turn over any funds to the third party biller.

If I wanted the charge gone, I would have to contact the third party. Of course, that was impossible. Calling the contact number lead to a recording that said the charge was probably authorized by my spouse or child. We

The Attorney General finally stepped in and sued over 100 companies for cramming. Federal regulations then changed the regulations to say if I wanted third party services, I personally would have to tell my phone company before they can charge for the service. That killed the business.