If the extent of the T-Mobile breach is as bad as reported, cyber criminals now have access to nearly 50 million consumers' personal data — much of the right data to steal customers' identities and cause significant damage in people's lives. They would also have all the right pieces to put together clever phishing campaigns and further trick people into giving up more information or to drop malware/ransomware on their devices to propagate additional attacks.
However, the truth is, a lot of the data purported to be stolen in this attack is likely already available on dark web forums. But this amount of sensitive PII in one place, in one database — that makes it easier for attackers to execute phishing attack at scale.
Identity theft is a real possibility with this incident. Again, a lot of the stolen data is probably already on dark web forums and available to cyber criminals and even the ultra-curious who have the wherewithal to find it. However, doing so and piecing the information together takes effort. Having a one-stop-shop, so to speak, for cyber criminals to obtain everything they need makes it easy. All the right data is included — Social Security Numbers, dates of birth, address information, etc. Further, the individual selling the T-Mobile customer data is claiming "full customer info," meaning, we might not know the extent of the breach yet, and even more personal data could be out there. Obviously T-Mobile isn't issuing detailed statements about what or how much was stolen, as they're working through the incident and trying to deduce the damage. Outsiders to the company may never have a full or clear picture and will be left to speculate — and watch their own accounts for evidence of breach.
Since we don't yet know many of the details, it's hard to say exactly what went wrong technologically or process wise. Suffice it to say, the proverbial horse is out of the barn with this one; there is nothing T-Mobile, or any company can do, to claw back data that's been stolen. At this point, T-Mobile must be honest with customers and regulators about the extent of the breach. And they should be working with internal teams, outside experts, and law enforcement to remediate open vulnerabilities and improve cyber hygiene to make sure attackers can't get back into T-Mobile's systems. Closing up "the entry point used to gain access" is not enough, especially since this isn't the first time T-Mobile has been breached.
T-Mobile, like all businesses that deal in sensitive data (that is, almost all businesses), must deploy layered controls and test them continuously — that includes people, process, and technology. There is no silver bullet. There is no product suite to save companies from becoming the victim of a compromise. It's hypervigilant security practices, day in, day out, starting with the basics. Unauthorized access and misconfigurations seem to be the culprits in this incident. Zero trust access controls and automated scanning for misconfigurations will go a long way toward mitigating future vulnerabilities.
On the consumer side, potentially impacted customers can monitor accounts for fraudulent activity and put a freeze on anyone accessing their credit reports, a typical process for when an individual wants to open a new account or line of credit. It also never hurts to change passwords and PINs, use a password manager to generate strong passwords, use biometrics (when possible), and turn on multi-factor authentication (when possible).