Here We Go Again: Weak Password to Blame for Phone Giant's Data Breached
Personal data has become a highly marketable commodity, and hackers seem to try all potential means to get their hands on it. On the other hand, a data breach may occur not just because a hacker carries out a malicious attack. It could also be a result of utter negligence on the part of those who are supposed to protect that data. Lately, a string of unfortunate incidents has been plaguing major phone companies. These incidents are just another proof that password security is extremely important when it comes to protecting personal data. But let us start from the very beginning.
T-Mobile Customer Data Breach
As of the second quarter of 2018, T-Mobile was the third biggest wireless carrier in the United States with 75.6 million customers. With such a mass of customers, T-Mobile has to process and store an insane amount of personal data. The more data one stores, the bigger is the possibility that one may experience a data leak. Whether it is a hacker attack or an internal incident, sometimes it is only a matter of time before anything like that happens.
The same could be applied to T-Mobile as well. According to the news report at ZDNet, T-Mobile experienced an unauthorized entry into the company's network on August 20th. The unauthorized entry was quickly shut down, but it is believed that hackers could have gotten a hold of customer names, phone numbers, email address, account numbers, and other types of personal data. While the communication giant maintains that none of the "financial data (including credit card information) or social security numbers were involved, and no passwords were compromised," the fact that the breach did occur is enough to assume that we are bound to expect similar attacks in the future.
It also raises questions whether phone companies do everything they can to ensure the safety of their customer data. After all, a major phone company data breach could result in a great financial loss.
Weak Staff Portal Passwords at Sprint
As you can probably tell, T-Mobile is not the only company that might have a problem securing the safety of their customer data. Sprint Corporation, which is the fourth-largest mobile network operator in the United States, was also found to be vulnerable to potential hacker attacks.
While the company hasn't experienced a malicious data breach as of yet, a researcher at TechCrunch has figured out how to access the Sprint staff portal, which allows accessing customer account data. Now, it might seem that the researcher must have performed some sort of voodoo to enter the portal of one of the biggest telecommunication companies in the US, but the truth is that the staff portal wasn't protected properly.
The researcher was able to access the portal using a very simple username and password combination. What's more, the log-in page did not have two-factor authentication. Two-factor authentication would offer a second layer of protection for any kind of data. For instance, aside from entering a password, you might also need to provide a code that is sent out to your email or phone number. Yet, Sprint did not use that.
The worst was that anyone with the access to this staff portal could have changed the customer data and their account data. In other words, this phone company data breach would eventually lead to multiple problems and illegal activities. Especially, researchers suggest that if hackers get access to all the customer data, they could easily carry out a SIM swap attack.
What Is a SIM Swap Scam?
SIM swap is rather self-explanatory. The scam is carried out in order to take over a phone account. The SIM swap attack usually occurs when a user loses their phone or has it stolen. Hackers convince the telecommunication companies that they are the real customer and the SIM swap occurs. When it happens, users immediately lose phone connection, and they can no longer access the telecommunication network.
What do hackers do with the phone number they obtain? Needless to say, they are not interested in phone calls and text messaging at your expense. For the most part, they need the phone number for one-time passwords and other data that can be sent to a phone number when they try to access various accounts. If those accounts employ multi-factor authentication, a swapped SIM is exactly what hackers need to circumvent that!
How to Prevent a Phone Company Data Breach?
The job of preventing the data breaches that we have mentioned in our article should be mostly carried out by the companies that store that data. A regular user can hardly offer their input to protect a corporate database. It is, however, possible to give active customer feedback to the companies in hopes that genuine customer concern would push them into working harder on ensuring the safety of your personal data.
But is there anything an end-user could do to feel at least a little bit safer? Even though you cannot prevent a phone company data breach by yourself, you can at least work towards making sure that no data leak occurs on your side. That is to say, you can always employ strong passwords to protect your data. Computer security experts by now are probably tired of saying how crucial it is to use unique passwords for every single account you have. And perhaps you already know that, but it is really hard to come up with new passwords every single time, right?
If that is the case, perhaps you should consider using a password manager to generate and store your passwords. It doesn't matter which browser you use or how many different accounts and passwords you have. A reliable password manager will take care of everything. It will also renew your passwords regularly! After all, changing your passwords once in a while is also important, isn't it?
And when your account information is protected by a reliable password manager, all you have to do is hope that your phone company is also taking all the measures necessary to safeguard your personal data.