At a glance.
- T-Mobile’s breach exposed millions, but does anyone care?
- More on the T-Mobile breach.
- Data handling regulations could be a matter of convenience.
- Apple’s new minor protection tech continues to generate major controversy.
T-Mobile’s breach exposed millions, but does anyone care?
The cybersecurity community continues to react to T-Mobile’s disclosure of a massive breach that exposed the data of more than 48 million users. Security Week offers an overview of the incident, noting that stolen data are being offered for sale by cybercriminals on underground forums to be used for data theft, phishing operations, or even a phone number hijacking practice called SIM-swapping. “It’s probably the biggest gift to SIM-swappers they’ve received in years,’ Allison Nixon, chief research officer at Unit 221B told the Wall Street Journal. As T-Mobile has determined that over 40 million of those impacted were not current customers, but prospective or former customers, Wired asks, did the cellphone carrier need to retain the data of so many individuals who were not actually using their services? The incident highlights the importance of data minimization, a practice outlined in the EU’s General Data Protection Regulation but not yet codified in the US. With breaches like this one becoming an everyday occurrence, the Washington Post wonders if we’re all feeling “breach fatigue.” Maurice Turner, cybersecurity fellow at the German Marshall Fund’s Alliance for Securing Democracy, explains, “I think the public is already at the point of seeing tens of millions of customer accounts compromised as a non-story.”
More comment on the T-Mobile breach.
Sotero's co-founder and chief security evangelist, Purandar Das, thinks that we need more information about the incident before it can assess its true impact:
“The public needs more information on this particular incident. The initial reports indicate that data including Social Security numbers was lost. The next statement indicates that no payment information was lost. This is indicative of trying to minimize the data loss. Also concerning is that they seem to have lost information related to prospects that applied for credit. In all reality, there really is no more sensitive information that can be lost. The payment information is really less relevant here if the criminals have the information to procure new credit using the stolen info. Also needed is the reason and method this data was compromised. The fact that, in this day and age, a well-funded organization, is an emphatic data point on how organizations continually underestimate the complexity of their data ecosystems. It is also a reflection of organizations that are reluctant to change their stand on the security approach and the technologies they think they understand.”
John Noltensmeyer, CTO of TokenEx, thinks tokenization an overlooked way of protecting data in situations like this:
"Tokenization remains one of the best ways to protect the personal data your organization collects and processes. By removing this data from your environment and making it inaccessible to cybercriminals, tokenization can help you minimize the impact of a security incident—even if your internal systems become compromised."
Data handling regulations could be a matter of convenience.
CStore Decisions looks at how data privacy laws could impact convenience store operations, noting that these regulations will influence how customer info is obtained, and once acquired, who can monetize it. Cindy Kaplan, director of marketing for Halock Security Labs explains that the new regulation PCI DSS v4.0 will dictate how credit card information should be managed: “A key takeaway from PCI is that organizations would definitely need to review their operations and assess their risk posture.”
Apple’s new child protection tech continues to generate major controversy.
Apple’s controversial new child protection features continue to spark much debate, and Reuters reports that today an international coalition of over ninety policy and activism groups including the American Civil Liberties Union, Electronic Frontier Foundation, and Privacy International, have released an open letter urging the tech giant to drop the new features, for fear “they will be used to censor protected speech, threaten the privacy and security of people around the world, and have disastrous consequences for many children." As the Center for Democracy and Technology points out, a main concern is that once the hash scanning function is in use, Apple could face pressure from governments who aim to co-opt the tech for their own purposes. Vice reports that researchers have already detected vulnerabilities in this hash function, called NeuralHash, having successfully tricked the tech into misinterpreting images. Apple defended itself, explaining that the version of NeuralHash that was tested is actually a generic and not the final, ideally stronger iteration.