As far as digital heists go, last week’s T-Mobile hack was about as complicated as a convenience store smash-and-grab, albeit one that exposed the personal data of 40 million-plus customers. In lieu of any ransom schemes, the stolen records of 30 million of those consumers quickly wound up for sale with a reported initial asking price (in bitcoin, naturally) of roughly $270,000.
Despite the brash nature of the attack and the damage it potentially inflicts on tens of millions of consumers, there’s a real risk that this T-Mobile breach will soon fade from headlines and the attention spans of consumers and business leaders. Third party risk management (TPRM) professionals and their counterparts cannot afford to make the same mistake. The brazen cyber-attack is noteworthy for several reasons of interest to TPRM teams, including:
Similar vigilance is required by businesses. “A cloud of secrecy and shame surrounding cyber-attacks amplifies the difficulties,” notes a recent Economist editorial. “Firms cover them up. The normal incentives for them and their counterparties to mitigate risks do not work well. Many firms neglect the basics, such as two-step authentication.” The Economist argues that standards requiring more detailed cybersecurity-related disclosure for all companies would enable investors, insurers and outsourcers to better identify firms that are underinvesting in security – and respond accordingly: “Faced with higher insurance premiums, a flagging stock price and the risk of litigation, managers might raise their game. Manufacturers would have more reason to set and abide by product standards for connected gizmos that help stem the tide of insecure IoT devices.”
Internet of Things security represent a major third party risk as well as a rising strategic risk. If cyberattacks become too costly or disruptive, businesses and consumers may shy away from using new and emerging technologies, which would limit the benefits those breakthroughs deliver to investors and society (think of the medical benefits of healthcare IoT applications or the environmental benefits of connected and electric vehicles).
After learning of the attack, savvy T-Mobile customers immediately changed their password, signed up for the free identify theft protection services the carrier offered, and activated T-Mobile’s account takeover protection mechanism. The cyber-savviest consumers had already enacted credit freezes and defenses against SIM card swaps as defense measures.
The T-Mobile cyberattack is yet another reminder that TPRM professionals also need to sustain, and continually improve and adjust, their own cybersecurity practices.
By downloading this software, you acknowledge that you may be invited to provide usability feedback to help improve its functionality. Feedback does not guarantee changes or compensation.