T-Mobile recently agreed to a $350 million settlement to resolve a class action lawsuit filed in response to a 2021 data breach that affected more than 75 million customers. As part of that settlement, the telecommunications company also agreed to spend $150 million to improve data security, according to an SEC filing. But the company’s data breach woes continue.
T-Mobile has experienced at least five data breaches since 2018, according to Wired. On January 19, it released a statement on its latest breach. The company determined that a bad actor was able to leverage a single API to access customer data. The breach impacted “approximately 37 million current postpaid and prepaid customer accounts, although many of these accounts did not include the full data set,” the company reported in a SEC filing. While smaller than the 2021 breach, millions of customers still have to contend with their data being exposed. And T-Mobile is faced with the prospect of the consequences of yet another data breach.
Potential Consequences
What could the consequences for T-Mobile look like? “They could certainly face another class-action suit, but we’ve also seen states strengthen data privacy laws in the past two years, which could land T-Mobile in hot water with state regulators differently than the previous breach,” Bill Bernard, area vice president of security strategy at cybersecurity services company Deepwatch, tells InformationWeek. Five states have comprehensive consumer data privacy laws, according to the National Conference of State Legislatures. Many more have introduced their own privacy legislation.
This breach may also impact how much the company plans to spend on shoring up its cybersecurity strategy. Although smaller in scope than the 2021 breach, this latest incident suggests the company still has work to do when it comes to data security. “This leak appears to be roughly one-third smaller, so we can expect the punitive expense to be concurrently smaller with this go-around. What we can’t know is how much more their efforts to ‘double down’ on cybersecurity will cost,” he says Ivan Novikov, CEO and co-founder of end-to-end API security company Wallarm.
Long-Term Impact
In its SEC filing detailing the breach, the company noted that it does “not expect that it will have a material effect on the Company’s operations.” It also acknowledged that changes in customer behavior could negatively impact its operations. But for now, it does not seem that the company is anticipating major fallout from this breach.
“With consumer choice limited, and with their practical experience with their 2021 breach, I’m sure T-Mobile has done the calculus and recognized that even a major class-action suit won’t really impact them long term,” says Bernard.
If this pattern of breaches continues, the company could face more impactful ramifications. “It’s possible, if this pattern of a major breach every nine months or so continues, that customers, shareholders, and regulators will tire of it and demand real action,” says Novikov. He also notes that further investment in cybersecurity may affect the company’s rate of innovation and consequently its growth.
Repeated breaches could also eventually take their toll on customer loyalty. “Companies experiencing successive major security incidents need to start investing more heavily in the necessary systems and solutions to reduce their cyber risk, or they may have to completely rebrand, lose executives, and do some restructuring in order to retain any credibility among their customer base, says Jesus Peña, executive vice president and chief experience officer of IT firm UDT.
Cybersecurity Investment
The argument for investing in cybersecurity is made clear by these kinds of breaches, but will it be enough?
“I fully expect that security spending and improvements will lag behind revenue-generating spending unless these things change,” Bernard anticipates. “Perhaps class-action lawsuits will eventually impact businesses enough to change this. Perhaps consumers will get protection with teeth through government agencies.”
Companies may simply consider data breaches inevitable and regulatory actions and class action lawsuits as an acceptable cost of doing business. “Unfortunately, I believe other companies are currently able to learn the wrong lessons: that these breaches are not extremely financially impactful, given the lack of consumer choice in many instances, the lack of regulatory teeth and other factors,” says Bernard.
“Modern companies need data to operate, and that data will leak at some point to some extent — so, breaches are likely to continue,” Novikov points out. Rather than completely eliminating breaches, companies will more likely be able to differentiate themselves in the way that they respond to security incidents.
“A strong security program with deep detect, respond, and recover capabilities is crucial in today’s reality, unless you have the deep pockets to weather them as a cost of business, like T-Mobile seems to feel they can,” Bernard argues.
What to Read Next:
T-Mobile’s $350M Settlement and the Future of Data Breach Consequences
What Does a New, $45M Cyber Catastrophe Bond Mean for the Cyber Insurance Industry?
Royal Mail Posts Progress on Deliveries Following Cyber Incident Disruption