T-Mobile today confirmed that the telecom giant suffered a security breach on its US servers on August 20 that may have resulted in the leak of “some” personal information of up to 2 million T-Mobile customers. 
Ok? Do you have any opinions on the matter? Care to post some links?
1 Like
Got any articles or source of the information or do I have to google that myself?
Screw it I got impatient.
Based on the articles I listed, my thoughts are anyone who uses the same PIN for T-Mobile and their credit card, I’d get that changed.
Also to add onto this…
So above is what I found seems to not be related to the OP’s statement, below is related.
https://www.t-mobile.com/customers/6305378821
1 Like
I didn’t get a notification, so hopefully I’m not one of the affected. Changed my T-mobile password anyway.
I’m pretty sure for European customers, that’s illegal, one of the new data protection laws states that a business must inform users when a security breach (on any level) has occurred.
That’s juicy! 
Hopefully this doesn’t get railed as off topic, but when? Why? What’s the time frame of informing users?
How does this law protect data?
I believe you have a maximum time period of 72 hours, so they haven’t broken any law as of yet, but the clock is ticking, haha.
That’s absurd. I would intentionally be vague and ambiguous as a middle finger to the legislatures. Most Incident Response teams barely have a clue as to what’s going on at 72 hours.
Yeah, it’s hilarious that a government overreach is preventing small businesses from getting more customers.
You can see more here. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/
Its a little more complex than the initial suggestion above, but that’s far more to explain.
TL;DR is something like this. A company has to inform the appropriate authority if there is a breach that involves certain types of personal data within 72 hours of becoming aware of the breach.
They have to inform affected individuals without undue delay if the breach may result in a high risk of affecting individuals rights and/or freedoms.
More specifically here:
Article 33, regarding Notification of a personal data breach to the supervisory authority: https://gdpr-info.eu/art-33-gdpr/
Article 34, Communication of a personal data breach to the data subject: https://gdpr-info.eu/art-34-gdpr/
2 Likes
“where feasible” – That wording was probably implemented by design. Good idea, in my opinion.
Is that checklist real?
The ICO is the authority in the UK. The checklist i think is for high level people who don’t know the implementation details. the ICO site is generally pretty good for getting a smiled down guidance on it. You need the actual legislation for the implementors.
Now we’re getting somewhere, thanks.
The language seems to provide flexibility that doesn’t screw over security teams worldwide. A press release at three days saying “We’re working on it, update your passwords.” should be sufficient.
This reminds me of the New York finance law a while back. “You must have a CISO”. Really? Anyone? “YOU MUST HAVE A CISO”
Brb grabbing Janitor and naming him CISO.
1 Like
In the EU you would have already informed the relevant authority behind the scenes as soon as you’re aware of personal data being involved that is covered under GDPR.
Generally this stuff isnt there to punish people, unless those people are deliberately hiding failings.
The news articles linked are talking about their 7x million customers. So this is their US company only from that information.
1 Like
I think this component gets overlooked. Also, some people view this as a negative to “protect the business”.
Without straying too far off topic, these days it’s pretty damn hard to prevent a breach, you try and make them pointless.
As an unintended consequence, it does (again, in my opinion). I certainly won’t be doing business with European citizens any time soon. There is also rumor that this is going to float over to the United States. This, plus the anti-encryption laws floating around, send me into a seething ball of blind rage (what else is new? )
I’m not opposed to guidelines and oversight regarding handling information, like security audits and reporting. But my initial reading of the GBPRD was that it was very ambiguous, and any two bit lawyer could accuse a ma’ and pa’ shop of “failing to diclose!” because of having a partial IP on file.
I’ll tail it off (unless we make another topic?) that this scenario wouldn’t necessarily work. You have to go through the regulatory authority, a two bit lawyer is a shrug your shoulders “have you reported your issue to the regulatory authority” reply.
Why do they have an IP on “file” in the first place? If its required its fine, you just have to be clear you need it, if its not required you should delete it.
Worth nothing that ip information required for the functioning of networking and security is covered under Recital 49 https://gdpr-info.eu/recitals/no-49/
I have sent you a direct message on the matter.
Also, funny enough:
Lol Discourse 
Just to make it clear, I’m in the USA, so T-mobile doesn’t owe me anything under the GDPR. Still would want to know, though…