T-Mobile Data Breach and Blackberry Problems: Cybersecurity News for the Week of 08/16/21

Published 8/26/21 9:30AM

The big news last week was, of course, the massive T-Mobile breach. Just in case you missed the stories in the news, we’ll provide a brief overview of the attack, what was stolen, and what security professionals are recommending for remediation. We will also take a look at flaws in older versions of BlackBerry’s QNX Real-Time Operating System (RTOS) that are affecting millions of vehicles, embedded systems, and industrial control devices around the world. And finally, we’ll review an SDK bug that could enable attackers to spy on millions of Internet of Things (IoT) devices.

• Up to 100 million customers affected by T-Mobile cyberattack and data breach
• Blackberry operating system vulnerability affects millions of cars and medical devices
• SDK bug enables spying on IoT devices

Final Words

Anyone who shops at major chain stores (several of whom have been victims of breaches over the last few years) knows all too well the consequences of a big breach: spam emails and text messages on cheap mortgages and pharmaceuticals, and free credit monitoring, apologies, and promises to do better from the victim organization. Today, breach fatigue is real and undoubtedly, there are more than a few T-Mobile victims who, at this very moment, are saying “Blah, blah, blah. Another opportunity for free credit monitoring. Whoop-dee-doo.”

But this T-Mobile breach is different. The scope and scale of the breach—and the types and combination of data stolen—means that anyone who is currently or who has ever been a T-Mobile customer, as well as anyone that even ever applied for a T-Mobile account but didn’t end up getting one, is at risk. The victim list likely includes CEOs and other business executives, government employees, individuals with Top Secret or higher-level clearances, scientists working on highly sensitive and competitive projects and programs, individuals with access to sensitive information and technology, and even cybersecurity professionals. 

When it comes to data handling and data privacy laws, the United States is woefully behind its counterparts. For example, security professionals are currently asking questions like “Why did T-Mobile need to hold on to so much data on so many people who weren’t actually using the T-Mobile service?” While the European Union’s General Data Protection Regulation (GDPR) regulates the practice of data minimization, this has not yet been standardized or codified in the United States.

While we may never know the reasons ‘why,’ what we do know is that the T-Mobile breach could’ve been prevented through the use of appropriate penetration and vulnerability testing, multi-factor authentication requirements, and even the implementation of government regulations around SIM cards and customer data protection.

Breaches are going to happen. But this breach will likely go down in the annals as one of the most notorious. Hopefully, it will also go down in the annals as one of the last of its kind.