Stolen PII from August 2021 T-mobile USA Data Breach

It seems this stolen data has now led to actual cases of identity theft.

1 Like

I can feel some litigation coming on (class action maybe) …

I can’t exactly speak for the US but if it’s the same in the US as it is here then the government is part of the problem. Telecommunications providers are forced to collect all this PII (and it is presumably verifiable, so you can’t just give the provider some made-up information).

Don’t collect it and it can’t be stolen.

1 Like

Yeah, and not just the telecoms, either; practically every utility and service you can think of. There really need to be some imposed best practices and stiff penalties for failure to secure PII.

As for class action lawsuits, in the U.S., it’s the attorneys who always get the lion’s share (or the whole pride’s, more like) of any cash settlement. Actual victims may get a couple of bucks, and maybe some useless credit monitoring for a year. :roll_eyes:

1 Like

I should add: you can mitigate some of the risk by using AweSIM, where that is an option available to you.

That doesn’t exactly work. The government is already imposing poor practice i.e. collecting a lot of info that is not needed for the purposes of delivering the service.

Yes, sort of. However that looks a lot like punishing the victim of a crime. I mean sure if the company has been absurdly negligent / reckless / substantially contributed to the success of the crime.

The problem then is that it may be very difficult to establish how the crime succeeded.

So let’s say that a company’s database turns up for sale online - and noone (not the finest cyberforensic experts in the country) is ever able to work out how the perps got the database. Is it fair to punish the company? They may well have followed best practice to the letter.

How about (just thinking aloud): For a data breach of that size, the company has to pay for the independent, external, expert forensic investigation. If the investigation turns up unreasonable failure to follow best practice and that failure contributed to the success of the crime then the government takes the company to court with the goal of securing a pecuniary penalty (i.e. a fine).

That puts a cost on the company for the data breach - and creates an incentive for good cybersecurity.

However we should be real … if data breaches are too widespread then that cost is ultimately borne by the consumer.

1 Like

Let’s make it harder.

A database turns up for sale online. Prove that it’s company A’s database rather than company B’s database.

What if it is the aggregation of data from multiple databases? Maybe even including a few government databases.

1 Like