Nobody surprised as T-Mobile gets hacked after dismissing security concerns

This is more than just a funny true story – it’s also a great illustration of how some companies and people can stand to become a lot more serious about cybersecurity.

It all began with a tweet

On April 3rd, a few Twitter users began discussing a worrying thought – that T-Mobile Austria was probably storing user passwords in plain text.

Plain-text passwords are a bad idea. The minimum standard for password storage is called hashing. This uses a complex algorithm to turn your password into a garbled mess of text that is then stored by the company. Any system you enter your password into can compare to see if your password is correct without ever storing it in a format that is easy for humans to read.

The T-Mobile representative, however, thought this was nonsense.

There are lots of ways for a company to approach cyber-security and protect its users, from common-sense procedures to advanced software suites. On the easier end of the spectrum, rule No. 1 might be “Don’t taunt hackers into attacking your company by revealing a vulnerability and then saying your security is amazingly good.”

Not only did the rep confirm that they store plain-text passwords, she also decided to scoff at the suggestion that they should tighten their security.

And then they got hacked

On August 20th, T-Mobile noticed evidence of a hack that accessed sensitive user information. A few days later, they announced that the compromised information “may have included one or more of the following: name, billing zip code, phone number, email address, account number and account type (prepaid or postpaid).”

Note: If you’re a T-Mobile customer, click here to read their announcement and find out what you should do.

Fortunately, they also claimed that no sensitive information (like card numbers or passwords) was stolen (one must assume that the hack did not occur in Austria, or that they managed to clean up their act).

There is no obvious link between the tweets from April and the attack on T-Mobile in August. It’s also not yet entirely clear whether T-Mobile Austria was effected. If either of those things turns out to be true, however, I don’t think anyone would be surprised.

T-Mobile isn’t the only company with a flippant take on cybersecurity – it’s just the example du jour. There are lessons to be learned here for any security-conscious consumer, not just T-Mobile clients:

• The less you share your data, the better. Sometimes, giving away your data is inevitable. However, you can start securing your online life by looking into ways to improve your security and privacy. Maybe you can turn your social media account private? And is it worth giving away your email address to a shop for a discount?.
• Your data is never 100% safe. With that being said, each company’s attitude towards security is important. The more they take the security of your data seriously, the more they respect your wellbeing as a customer. Choose companies that take privacy and security seriously and distrust ones that don’t care.
• Cybersecurity tools significantly boost your safety online. Password managers, anti-malware software, and VPNs all help you improve your security. Read more about VPNs and privacy here.
• Legally accessed data and stolen data can be used together to steal your identity. Taken on its own, most of the data that T-Mobile says was stolen is difficult to use to steal your identity. However, when combined with publicly available information, that data can be enough for the hacker to do more damage. Plus, if it’s someone who had the technical skill and the malicious intent to hack into a major company’s database, they will probably also be able to access your data using other illegal means (to learn more about the most common tools and methods hackers use, click here).