T-Mobile breach fallout — it's time to decide who deserves your business

T-Mobile MVNOs
(Image credit: T-Mobile)

This week, we saw a huge data breach at U.S. wireless carrier T-Mobile that exposed the names, Social Security numbers and dates of birth of some 48 million people. It's T-Mobile's fifth, possibly sixth, data breach in the past three years.

We also saw that many widely used U.S. food- and grocery-delivery apps take only minimal steps toward protecting user accounts and credit-card numbers. The result is that it's maddeningly easy to hijack an account with some of the best-known delivery apps.

It's time for consumers to act. If you want to keep your personal and financial data protected, then you should stop doing business with companies that don't adequately protect your personal data. Switch to companies that do a better job of it.

How does a company respond to a breach?

To be clear, I'm not advocating dropping every company that suffers a data breach. Breaches happen, unfortunately, even to companies that take personal-data security very seriously.

What you need to watch instead is how a company responds to a data breach. Does it tighten up its security? Does it put new safeguards in place? If so, you can assume the company is making good-faith efforts to try to make sure it doesn't suffer any more breaches.

Red flags arise, however, when a single company has a run of data breaches. T-Mobile has a horrible record of this. It gets breached again and again and again. It's hard to tell if the company even cares.

In the most recent T-Mobile breach, it appears that the company didn't properly encrypt the Social Security numbers of tens of millions of people who applied for T-Mobile accounts. All those people are now at severe risk of identity theft because the T-Mobile breach also compromised their names, addresses and dates of birth.

So are Verizon and AT&T any better? Yes. Verizon had a data leak in 2017 when some data was exposed on a third-party server, but that's the last incident that I know of. 

Verizon also publishes the well-regarded annual Data Breach Incident Report, an authoritative analysis of known cybersecurity incidents in the previous year.

As I write this, there are reports that a known group of hackers has stolen data pertaining to 70 million AT&T accounts. The company has taken a look at the data and said it didn't come from its servers. 

We'll have to see how that plays out, but we can also tell you that we haven't reported on any other AT&T data breaches in many years.

No 2FA, no sale

Meanwhile, what about food-delivery apps? Are they really that bad? 

Let's put it this way: It doesn't take a lot of effort for a company to offer two-factor authentication (2FA) to its customers to better protect their accounts. 

2FA is a pretty commonplace feature that makes sure anyone logging into an account from a new device or location, even with the correct username or password, has to input an extra temporary code that's sent to or generated on the legitimate user's phone.

But among seven different food- and grocery-delivery apps that we signed up with, only UberEats and its subsidiary Postmates offered 2FA as an option. The rest would let anyone sign in from anywhere as long as they had a registered user's username and password. And hundreds of millions of stolen usernames and passwords are floating around the internet, ripe for the taking.

So what can you do? You can bother those companies that don't implement 2FA by going to the 2FA Directory and clicking the links to send them messages via Twitter, Facebook or email. Or you can vote with your wallets and use the same directory to switch to those companies that better protect your personal data.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

TOPICS