Well this is a splendid bit of good timing: two days after we wrote about poor disclosure of a cybersecurity breach at one large company, another large company has suffered a breach of its own and given us a very different example of how to handle your disclosure duties.
The latest victim is T-Mobile, which confirmed on Tuesday that hackers had stolen the personal data of more than 40 million current, former, or prospective customers. That announcement came after online news website Vice.com reported that T-Mobile customer data was available for sale on the dark web. (Even better, Vice.com got a comment from the purported perpetrator, who is asking for $270,000 for 30 million records; the other 10 million are already under agreement.)
The T-Mobile breach intrigues me because earlier this week the Securities and Exchange Commission hit education publishing giant Pearson with a $1 million penalty for making misleading statements to investors in 2019 about a breach that company had experienced. So now we have the chance to compare what each firm said about its breach, and compliance officers can draw their own conclusions about which is the better approach.
First, the T-Mobile timeline. On Aug. 15, Vice.com published its story that somebody was selling the personal records of 100 million people on a dark web forum, and that person said the data came from T-Mobile servers. The thief supplied samples of the data to Vice so that reporters could confirm the stolen records’ authenticity. He or she also said T-Mobile apparently had already discovered the breach “because we lost access to the backdoored servers” and couldn’t steal any more data as of Sunday.
T-Mobile published a preliminary statement the following day (Aug. 16) confirming that it was investigating a breach, but including few specifics. Example: “We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved.”
So far, so bland. Then came T-Mobile’s next statement.
T-Mobile’s Cyber Breach Disclosure
On Tuesday, Aug. 17, T-Mobile offered a far more expansive statement about its data breach. The statement was 617 words long, and included 14 bullet points offering details about exactly what was stolen and how T-Mobile planned to respond.
Among the highlights:
- When T-Mobile learned of the breach. “Late last week we were informed of claims made in an online forum that a bad actor had compromised T-Mobile systems.”
- Confirmation that, yes, personal information was stolen. “We have now been able to confirm that the data stolen from our systems did include some personal information.”
- What types of information were stolen. “Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information.”
- How many records were stolen. “Approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers.”
- What T-Mobile has already done to contain the damage. “We then located and immediately closed the access point that we believe was used to illegally gain entry to our servers.”
All of that corresponds to what the thieves had told Vice.com, including the point that T-Mobile had sealed off the vulnerable web servers.
As data breaches go, this one is painful. It involved a lot of records and a lot of personally identifiable information, so right away I wonder about T-Mobile’s enforcement risk from the Federal Trade Commission and state attorneys general under consumer protection statutes.
Criminals will also be able to use the purloined information to commit fraud against other companies, by posing as the T-Mobile victims and using their data to open accounts, reset passwords, execute transactions, and so forth. Many other companies will end up paying a price for T-Mobile’s cybersecurity lapse.
Still, within the confines of what the Securities and Exchange Commission expects businesses to disclose to investors about a cybersecurity incident, T-Mobile’s disclosures so far have been good. The company shared specific details about the harm it and its customers have suffered, and what it has already done to prevent further damage.
That’s very much in step with SEC guidance about disclosure of cybersecurity events. Consider this passage from that guidance, last updated in 2018:
We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident. Nevertheless, we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.
T-Mobile also filed a Form 8-K disclosure to the SEC on Aug. 17 just in case any investors hadn’t yet heard about the breach via other media.
Comparisons to Pearson
In contrast to T-Mobile, Pearson executives knew about their data breach for months before issuing a public statement — and they only made that statement when reporters informed the company that they were about to publish a story on Pearson’s breach.
Pearson then issued a measly two-paragraph statement full of hypotheticals and vague language, when (according to the SEC settlement) they already knew exactly what personal data had been breached.
T-Mobile also refrained from saying anything about the measures it takes to keep customer data secure. That’s more than we can say for Pearson, which offered up some boilerplate “We have strict data protections in place” when in fact Pearson failed to patch a known, critical security flaw in its servers for six months.
Now, is it possible that new information about T-Mobile might come to light, that puts its executives in a much less flattering light? Yes. Is it possible that perhaps T-Mobile might also have kept quiet about its breach, if reporters hadn’t approached the company? Also yes.
But the fact is that Pearson had many months to ponder whether it should disclose its breach before the media forced its hand — and the company chose to keep quiet. T-Mobile had no such luxury.
Moreover, when Pearson did say something about the breach, that disclosure was rife with sins of omission. T-Mobile’s disclosure was fulsome and precise.
Decide for yourself which example you’d rather follow.