T-Mobile’s beefs up cyber security after humbling experience of data breach

“We know we need additional expertise to take our cyber security efforts to the next level and we’ve brought in the help,” CEO Mike Sievert said in a statement on the company’s website.

“These arrangements are part of a substantial multi-year investment to adopt best-in-class practices and transform our approach. This is all about assembling the firepower we need to improve our ability to fight back against criminals and building a future-forward strategy to protect T-Mobile and our customers.”

The arrangement with Mandiant, which has helped with the forensic investigation since the cyber-attack, includes drawing on its expertise dealing with large-scale data breaches and developing a strategic plan to mitigate cyber security risks across the company.

KPMG’s cyber security team will perform a thorough review of all T-Mobile security policies as well as identify gaps and areas of improvement.

“Mandiant and KPMG will work side-by-side with our teams to map out definitive actions that will be designed to protect our customers and others from malicious activity now and into the future,” Sievert added.

He prefaced detailing the action plan by saying: “We know that the bad actors out there will continue to evolve their methods every single day and attacks across nearly every industry are on the rise. However, while cyber-attacks are commonplace, that does not mean that we will accept them.”

On the aftermath of the incident, he said: “The last two weeks have been humbling for all of us at T-Mobile as we have worked tirelessly to navigate a malicious cyber-attack on our systems.”

The breach has been contained and “fortunately, [it] did not expose any customer financial information, credit card information, debit or other payment information but, like so many breaches before, some [social security numbers], name, address, date of birth and driver’s licence/ID information was compromised.”

T-Mobile has notified “just about every” current affected customer or primary account holder and is now notifying former and prospective customers. It is also offering affected customers two years’ free identity protection services and recommending they sign up to free scam-blocking protection among other measures.

Since the breach two lawsuits have been filed against T-Mobile USA in the United States.

One accuses the company of putting plaintiffs and class-action members at considerable risk by not adequately protecting them as a result of negligent conduct.

In the other, victims are said to have spent as many as 1,000 hours addressing privacy concerns stemming from the attack, including reviewing financial and credit statements for evidence of unauthorised activity.