Lawmakers and regulators say they want answers from T-Mobile about a data breach that exposed the personal information of more than 40 million people to hackers, the latest sign of mounting regulatory scrutiny over the telecom giant's repeated security lapses. T-Mobile's disclosure this week that hackers accessed data tied to roughly 7.8 million current subscribers, along with records for "just over" 40 million people who had applied for credit with the company, ignited a firestorm of criticism over its checkered security history. The breach exposed the names, birthdays, Social Security numbers and driver's license information of millions. Federal Communications Commission spokesperson Paloma Perez said that the agency "is aware of reports of a data breach affecting T-Mobile customers and we are investigating." "Telecommunications companies have a duty to protect their customers' information," Perez added in a statement. The company seemingly sought to assuage fears about the breadth of information accessed by noting in a statement that "no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers." But it did little to quell concerns in Washington, including on Capitol Hill, where lawmakers are calling for a fuller accounting of the hack and urging regulators to consider steep fines for lapses in the telecom industry. "Congress must review this incident that exposed millions of Americans and act to strengthen protections for consumers," Sen. Ben Ray Luján (N.M.), who chairs the Senate Commerce subcommittee on communications, media and broadband, told me. Lawmakers recently proposed legislation that would require certain private companies to report data breaches or steep face fines. And the FCC has in the past doled out multimillion-dollar fines to companies for violating consumers' privacy, including to phone carriers. One prominent lawmaker suggested the FCC should hit companies like T-Mobile with what would be historic 10-digit fines over major security lapses. "The FCC needs to send a clear signal — through mega fines in the billions — that wireless carriers have to prioritize cybersecurity and that there will be serious consequences for those companies that don't," said Sen. Ron Wyden (D-Ore.). The threat of fines is meant to incentivize companies to make greater commitments to secure data. But critics have often called for regulators to also impose structural changes on companies to prevent future security lapses. Acting FCC chairwoman Jessica Rosenworcel, then a commissioner, speaks at a Senate Commerce Committee hearing last year. (Alex Wong/Getty Images) | T-Mobile has disclosed at least five notable data breaches over the past four years, including this one, according to news reports. The company disclosed that in December customers' call-related information and phone numbers may have been accessed in a breach. In March 2020, T-Mobile said a malicious attack against its email vendor gave hackers unauthorized access to the email accounts of some T-Mobile employees. In November 2019, the company notified affected customers that it "discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account." And in August 2018, hackers gained access to the personal information of about 2 million T-Mobile customers, including their name, email address, Zip code and account number. T-Mobile last April also completed a merger with Sprint, which had its own history with data breaches before the deal. A bipartisan cast of lawmakers said Wednesday that they are deeply troubled by the trend. "This significant breach — particularly in the wake of past data lapses by this carrier — raises enormous concerns," Sen. Mark R. Warner (D-Va.), who co-chairs the chamber's Cybersecurity Caucus, said in a statement. Rep. John Katko of New York, the top Republican on the House Homeland Security Committee, said he's "concerned that T-Mobile has experienced another data breach." "This is symptomatic of a larger problem," Katko added. "As I have said before, cyber threats remain the preeminent threat of our lifetime." Advocacy groups are already signaling that sternly worded statements and investigations may not be enough, however, and that more forceful action is warranted. "Congress, the FTC, state legislators and attorneys general all have a role to play here," said Derek Turner, research director at Free Press. Turner added: "And while holding T-Mobile accountable is critical, policymakers need to go much further to protect everyone from the consequences of lax corporate security practices and unnecessary data retention. The time to act is now." |
No comments:
Post a Comment