The Washington PostDemocracy Dies in Darkness

The Technology 202: A T-Mobile hack exposed the data of millions. Policymakers want answers.

Placeholder while article actions load

with Aaron Schaffer

Lawmakers and regulators say they want answers from T-Mobile about a data breach that exposed the personal information of more than 40 million people to hackers, the latest sign of mounting regulatory scrutiny over the telecom giant’s repeated security lapses.

T-Mobile’s disclosure this week that hackers accessed data tied to roughly 7.8 million current subscribers, along with records for “just over” 40 million people who had applied for credit with the company, ignited a firestorm of criticism over its checkered security history. The breach exposed the names, birthdays, Social Security numbers and driver’s license information of millions. 

Federal Communications Commission spokesperson Paloma Perez said that the agency “is aware of reports of a data breach affecting T-Mobile customers and we are investigating.”

“Telecommunications companies have a duty to protect their customers’ information,” Perez added in a statement.

The company seemingly sought to assuage fears about the breadth of information accessed by noting in a statement that “no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.” 

But it did little to quell concerns in Washington, including on Capitol Hill, where lawmakers are calling for a fuller accounting of the hack and urging regulators to consider steep fines for lapses in the telecom industry.

“Congress must review this incident that exposed millions of Americans and act to strengthen protections for consumers,” Sen. Ben Ray Luján (N.M.), who chairs the Senate Commerce subcommittee on communications, media and broadband, told me.

Lawmakers recently proposed legislation that would require certain private companies to report data breaches or steep face fines. And the FCC has in the past doled out multimillion-dollar fines to companies for violating consumers’ privacy, including to phone carriers. 

One prominent lawmaker suggested the FCC should hit companies like T-Mobile with what would be historic 10-digit fines over major security lapses.

“The FCC needs to send a clear signal through mega fines in the billions that wireless carriers have to prioritize cybersecurity and that there will be serious consequences for those companies that don’t,” said Sen. Ron Wyden (D-Ore.).

The threat of fines is meant to incentivize companies to make greater commitments to secure data. But critics have often called for regulators to also impose structural changes on companies to prevent future security lapses.

T-Mobile has disclosed at least five notable data breaches over the past four years, including this one, according to news reports.

The company disclosed that in December customers’ call-related information and phone numbers may have been accessed in a breach.

In March 2020, T-Mobile said a malicious attack against its email vendor gave hackers unauthorized access to the email accounts of some T-Mobile employees. In November 2019, the company notified affected customers that it discovered and shut down malicious, unauthorized access to some information related to your T-Mobile prepaid wireless account. 

And in August 2018, hackers gained access to the personal information of about 2 million T-Mobile customers, including their name, email address, Zip code and account number. 

T-Mobile last April also completed a merger with Sprint, which had its own history with data breaches before the deal. 

A bipartisan cast of lawmakers said Wednesday that they are deeply troubled by the trend. 

“This significant breach particularly in the wake of past data lapses by this carrier raises enormous concerns,” Sen. Mark R. Warner (D-Va.), who co-chairs the chamber’s Cybersecurity Caucus, said in a statement.

Rep. John Katko of New York, the top Republican on the House Homeland Security Committee, said he’s “concerned that T-Mobile has experienced another data breach.”

“This is symptomatic of a larger problem,” Katko added. “As I have said before, cyber threats remain the preeminent threat of our lifetime.”

Advocacy groups are already signaling that sternly worded statements and investigations may not be enough, however, and that more forceful action is warranted. 

“Congress, the FTC, state legislators and attorneys general all have a role to play here,” said Derek Turner, research director at Free Press.

Turner added: “And while holding T-Mobile accountable is critical, policymakers need to go much further to protect everyone from the consequences of lax corporate security practices and unnecessary data retention. The time to act is now.”

Our top tabs

The FTC is set to refile its lawsuit against Facebook in Lina Khan’s first major test as its chair. 

The Federal Trade Commission is staring down a major deadline today to refile the lawsuit after a judge dismissed it in June, Cat Zakrzewski reports. Khan’s legacy as an aggressive antitrust enforcer could hinge on the high-profile case. 

“This is the most important case you have,” former FTC chair William Kovacic said. 

U.S. District Judge James E. Boasberg dismissed the case just weeks into Khan’s tenure as chair of the FTC. She inherited the case from her predecessors during the Trump administration but will have to be the one to shepherd it to victory, Cat writes. 

Facebook wasn't fully forthcoming with the White House about the scope of its coronavirus misinformation problems, according to administration officials.

The officials thought meetings with Facebook on coronavirus misinformation were less productive than with company rivals like YouTube and Twitter, Elizabeth Dwoskin, Cat Zakrzewski and Tyler Pager report.

“It’s not that they wouldn’t provide data,” said Andy Slavitt, who was a senior adviser on the White House’s coronavirus team and attended meetings between Facebook and White House officials. “It’s that they wouldn’t provide meaningful data, and you end up with a lot of information that doesn’t necessarily have value.” 

Facebook spokesman Andy Stone blasted the criticisms, saying that “the suggestion we are trying to hide or prevent research into the role our platform plays is anecdotal and inconsistent with the facts. The company also shared information on the amount of misinformation that had been taken down from its platform, a point that CEO Mark Zuckerberg reiterated in a CBS interview airing this week when he was asked about the universe of misinformation on the site. 

Facebook presented itself as a spam folder in a new report, Will Oremus writes. 

The company published its first “Widely Viewed Content Report” as it tries to deflect criticisms that conservative and right-wing pages are the site’s highest-performing, Will writes. The list itself is bizarre at times, with a link to a Green Bay Packers alumni website taking the top slot as the second quarter’s most-viewed link. 

Asked about that page, Facebook spokesperson Ryan Peters said that “when content from lesser known creators goes viral it isn’t necessarily a bad thing. It shows that anyone, not just established superstars, can reach a wide audience on the platform so long as their content is compelling.” 

Many researchers are ambivalent about the report, saying the metrics are handpicked and shouldn’t substitute for Facebook’s CrowdTangle tool. The company has moved to rein in the tool, according to the New York Times. 

“It’s like ExxonMobil releasing their own study on climate change,” said a former employee who spoke on the condition of anonymity because of a nondisparagement clause. “It’s something to counter the independent research and media coverage that tells a different story.” 

Rant and rave

The New York Times’s Kevin Roose wrote an essential thread on Facebook’s “Widely Viewed Content Report,” breaking down the blind spot in its methodology:

Evelyn Douek, a lecturer at Harvard Law School:

Gizmodo’s Shoshana Wodinsky:

Hill happenings

Amazon is emailing sellers to warn them about Congress’ Big Tech antitrust bills (CNBC)

Inside the industry

Policy groups ask Apple to drop plans to inspect iMessages, scan for abuse images (Reuters)

Taliban Ramp Up on Social Media, Defying Bans by the Platforms (New York Times)

Google outlines future of its search engine (Financial Times)


9to5Mac writer paid source $500 in bitcoin for stolen Apple data (Motherboard)

Before you log off