- 53 million persons affected by T-Mobile’s data breach.
- 38 million records exposed in Microsoft Power App data breach.
- After large breaches like these, more will come. We can’t stop providing our info to software vendors, but we can be smart.
T-Mobile Breach
Can you secure your data and maintain convenience? On August 17, 2021, hackers stole sensitive data from T-Mobile (TM), affecting 53 million customers. Types of stolen information include names, driver’s licenses, government identification numbers, Social Security numbers, dates of birth, TM prepaid PINs (that TM has already changed), addresses, and phone numbers.
TM asserts that they “have no indication” that personal financial or payment information was accessed.
For affected customers, TM sent notifications and recommended that customers take the following steps:
- Sign up for McAfee ID Theft Protection (free for two years)
- Activate TM’s Scam Shield to block suspected scam calls (free to all TM customers)
- Use TM’s Account Takeover Protection to prevent theft and fraudulent use of customers’ phone numbers
- Consider placing a fraud alert on credit bureau accounts or freezing them
Microsoft Power App Breach
In June 2021, some 38 million records from Microsoft (MS) Power Apps were exposed online. Power Apps is a “suite of apps, services, and connectors, as well as a data platform” that helps businesses and organizations to share data easily across the cloud.
Some data, such as locations of COVID-19 testing or vaccination sites, should be public. The problem emerged when the Power Apps platform failed to distinguish properly between public data and information that should remain private (such as COVID-19 vaccination records).
MS has since reconfigured default settings on the Power Apps platform to increase the security of sensitive information. MS also notified all 47 organizations affected.
Secure Your Data Summary
What can individuals and organizations do to improve security? Three actions will help:
- Protect employees and customers by obtaining services of an identity and access management platform such as OneLogin. Since there are technical aspects to such services, it would be prudent to get help from your managed service provider (MSP) in setting them up.
- Require employees to use multi-factor authentication (MFA) when accessing online accounts. Also consider requiring customers to use MFA if your business requires exchange of sensitive information. We get it: MFA takes additional time when someone logs on. But it takes much less time and resources than reclaiming your identity will consume.
- If your business collects sensitive data from your clients, consider requiring MFA for them to log in to their account. However, the TM data breach poses the possibility of hackers switching control of a phone number to a phone that they control (what’s called a SIM-swap attack). That means that an authentication code sent by text to your phone number could be diverted to the hacker—thus allowing access to your account. To prevent that, your business should provide and have clients use an “authenticator app.” You should probably ask an IT professional to help set that up.
Other Considerations
For a variety of reasons, many employees now work from home and other locations. The recent data breaches underscore the need to protect wireless devices in public from cyberattack.
In August 2021, the National Security Agency (NSA) released guidelines for “Securing Wireless Devices in Public Settings.” After downloading your copy, scroll to pages 4-7 where the NSA provides a very useful chart of “Do’s” and “Don’ts.”
Unfortunately, data security and protection of devices can be confusing. Even if you already train employees to use complex passwords and practice safe email messaging, it might not be enough. Not all MFA practices are created equal.
If you are concerned about data security for your business or organization, please sign up for our FREE 15-minute security review. We are offering this opportunity for one week on a first-come, first-served basis. Or contact our team to discuss any other technology concerns.