T-Mobile Lessons Learned | Altaware, Inc. Cyber Security Blog

T-Mobile Lessons Learned

Two interesting lessons/observations from T-Mobile so far:
- Outsourcing doesn't alleviate the risk or need for oversight
- Sensitive data should expire over time

It's great to see the T-Mobile CEO is real mad about the T-Mobile hack as a result of poor cyber security from Experian, but being mad isn't enough. I'm mad over the highly personal data they need to collect, stored and KEPT for setting up just a cell account to mitigate THEIR risk for payment, but it was our entire identity put at risk for their payment concerns.

We need to start demanding that:
- Only appropriate and necessary data be collected, not just for payment risk reduction needs (they collected more sensitive data than some car loans).
- When a service can quickly be terminated for non-payment, just how much identity risk is acceptable? No repo man is required to recover the loss and the cost of phone doesn't compare to a new car. The risk tradeoff scales were highly tilted in their favor/convenience.
- After credit and payment history has been established, some data ought to be deleted (or just never collected)!
- Sensitive data for identification needs to not be stored after identity has been proved for account creation and some payments have been received!

At the same time, we ought to demand:
- Multiple credit agency tracking based upon the field types lost, more identifying data, more agencies and longer periods of time.
- Compensation to the individuals affected by the loss commensurate with the suffering and time lost.
- Anyone who unreasonably stores or retains our sensitive data should be fined heavily, only then will it be stopped!