T-Mobile has experienced another data breach, as reported by TechCrunch. Hackers stole customer stole names, billing zip codes, phone numbers, email addresses, account numbers, and account type in what the company described as an “unauthorized capture of data.” IT security experts commented below.
Pravin Kothari, CEO at CipherCloud:
Yesterday, lightning struck T-mobile yet again. T-mobile announced to customers that hackers were found to have breached critical systems and captured names, emails, accounts numbers and more. This breach may have impacted approximately some 2 million accounts.
The moral of the story? You cannot keep attackers out of your networks. Strong perimeters are good, but no longer good enough. Attackers will get in at some point. This will happen to relatively well-defended networks such as T-mobile’s.
The solution? New Zero Trust best practices would likely have prevented all of these breaches. The first step would be to require that *all* customer and T-mobile employee authentication should be done using 2-factor authentication. After all, this is a mobile phone company – what’s not to like? A 2nd factor SMS TXT to each mobile phone associated with the account would have been good enough to stop the breach. There are rare instances where 2-factor has been breached, but the use of 2-factor is much better than just a password.
Other obvious solutions include the end-to-end encryption of customer data. End-to-end encryption, or Zero Trust encryption, is the most robust approach to data protection available today. Zero Trust encryption protects data at-rest in the database, in use, and in transit through the networks, API’s, middleware and applications. It is inevitable that misconfigurations, both on-premise and in the cloud will happen, but end-to-end encryption protects the data throughout the complete lifecycle of the data.”
Amit Sethi, Principal Consultant at Synopsys:
Javvad Malik, Security Advocate at AlienVault:
It isn’t always possible to prevent a breach, but by having good detection capabilities, companies can discover breaches and nefarious activities quickly and respond effectively.”
Andy Norton, Director of Threat Intelligence at Lastline:
The opinions expressed in this article belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.