Time to dust off the old “X company had a data breach. Here’s free credit monitoring as an apology” routine.
T-Mobile US Inc. said an investigation confirmed about 7.8 million current users had information stolen along with more than 40 million records from past or prospective customers who’d applied for credit in a cyberattack. The stolen information included customers’ full names, dates of birth, social security numbers, and IDs such as drivers licenses, the Bellevue, Washington-based company said in a statement on Wednesday. The hack doesn’t appear to have included credit card details or other financial information, it said.Bloomberg
Remember the days when Target and Home Depot data breaches were big, humongous deals? Now this stuff is so commonplace that most people essentially get continuous complimentary credit monitoring because when it’s set to expire, their data is breached elsewhere.
What bugs me the most is it’s 2021 and we’re still relying on antiquated a nine digit number given to Americans at birth as the end-all of identification. A driver’s license number is no better since it’s the same number from the day it’s issued. Permanent “issued” numbers have no place in modern transactions anymore. If anything, these numbers should be “master codes” that are used to generate rolling token / one-time use codes that can be used for everything a SSN or license number is utilized for.
This problem has been solved for over a decade already with TOTP tokens we use with Authy, Google Authenticator, or even SMS (which is itself insecure). Physical RSA fobs predate smartphones and do the same thing but in a physical sense. The modern equivalent is a YubiKey or Titan Secure Key, which again is a secure way to authenticate you are who you are.
In today’s day it’s best to assume any and all information you possess has been breached somewhere and is likely available on the dark web for anyone to purchase for pennies.