The company also will spend at least $150 million on upgrading data security. T-Mobile made no admission of wrongdoing in the proposed settlement document though the cell phone carrier’s CEO apologized to customers for the security failure in 2021. A 21-year-old hacker took responsibility in an interview with the Wall Street Journal, saying that he broke into a T-Mobile data center through an unprotected router, then used stored credentials to access more than 100 servers.
In 2021, the information industry (which includes the mobile carriers) was hit with 2,561 cyber incidents, 378 with confirmed data disclosures, according to the Verizon DBIR. That placed the industry at #4 for total incidents and #5 for data breaches of 21 industry categories surveyed in the DBIR.
The RiskLens data science team estimates risk for companies in an industry category based on the cyber events history plus a wide range of parameters such as revenue, number of employees and number of database records.
Based on RiskLens research, T-Mobile, as an information industry member, had a 38% greater probability than other industries to experience costs from lawsuits and other secondary response costs (SRC). Furthermore, with the size of the breach and T-Mobile’s revenue level, the probability of incurring SRC and the amount of payout were most likely to increase significantly from the norm. One reason: a telecommunications company holding and moving large amounts of data on networks is likely to run a higher risk of data breach or other incidents.
Shown below is the likelihood that the common types of cyber loss events (from the Verizon DBIR) will occur on an annual basis for an enterprise in the information industry and fitting T-Mobile’s profile. We pulled these numbers from the RiskLens My Cyber Risk Benchmark tool (note that the estimate for losses from “System Intrusion” was confirmed by the $500 million number announced in the court settlement document):
As an example, an information industry organization is looking at these chances of a System Intrusion loss event in a year, depending on how well it implemented and maintained controls, based on ratings from SecurityScorecard.
The stats in this blog post were pulled from the RiskLens My Cyber Risk Benchmark tool, powered by RiskLens data science (with security ratings from Security Scorecard). See how your industry and your organization stack up – get a free trial of My Cyber Risk Benchmark.