T-Mobile was recently hit by a major data breach, with personal information stolen related to more than 50 million current, former, or prospective customers.
While the investigation is ongoing, there’s a question of if the carrier – which has been racking up subscriber counts including in the first half of 2021 – will take a hit in the metrics or reputation department if customers are wary about the security of their data.
No financial information appears to have been compromised, but data such as social security numbers, names, dates of birth, drivers license info, and IMEI and IMSI device identifiers was involved for some.
FierceWireless polled wireless industry analysts to get their take on what impact the breach could have on customers staying with or switching to T-Mobile. The general consensus: Not much.
Data breaches the new norm
Several analysts expressed that data breaches are essentially part of everyday life these days and won’t make much of a difference for customers staying or changing carriers unless a consumer is personally impacted.
William Ho, principal at 556 ventures, cited two categories subscribers could fall in, but noted impact from each is difficult to quantify because it’s a personal choice.
“There are those subscribers who may think that global data breaches are the inevitable norm” Ho said. “Therefore, they will not leave easily unless personally affected. These same customers could see that the value that T-Mobile provides in terms of price and included benefits still outweighs porting over to competitors.”
Mark Lowenstein, analyst and managing director at Mobile Ecosystem, doesn’t think security of personal information is top of mind for customers at all – until something happens that is.
“Unless we start hearing lots of stories about how particular individuals or enterprise customers were affected in some way, then I don't think there will be major long-term effects,” Lowenstein said.
Roger Entner, founder of Recon Analytics, shared a similar sentiment, saying that leaked credentials “are a very abstract threat until you get impacted.”
And most people whose data is breached don’t feel an impact, he said, so all other reasons – be it price, 5G or others – are more important to consumers since they benefit from those aspects.
“Judging from history – and we can since this is not the first time T-Mobile has had a data breach – this will have no impact on T-Mobile’s growth and will also not increase churn,” Entner said.
Iain Gillott, founder of IGR, acknowledged he doesn’t know if T-Mobile will lose customers, but falls firmly in the camp that data breaches are to be expected, pointing to other industries that have seen them.
“This problem is not isolated to T-Mobile,” he said. “This is not a wireless industry problem, it is a ‘your data is being compromised’ problem across multiple industries and multiple companies, and it will be again.”
More vulnerable than AT&T and Verizon?
This isn’t T-Mobile’s first data breach, with multiple others over the last several years, but does that mean T-Mobile is more at risk of cyberattacks compared to competitors?
“Considering T-Mobile’s track record, they seem to be more vulnerable than the other providers,” Entner said.
Those other attacks include a 2019 breach that affected around 1.5% of customers, with an attacker gaining access to prepaid customers’ service account information. In 2018, around 3% of the T-Mobile’s-then customer base, or about 2 million users, had account data hacked by an unknown international entity.
Gillott views all industries as vulnerable and doesn’t think T-Mobile stands out. Self-proclaimed cynical and jaded, Gillott said he assumes his data will be lost or sold right from the start when signing up or sharing information for services, regardless of company.
“Do I think that Walmart is better at protecting information than Target is, or AT&T is than T-Mobile?” he posited. “No.”
Lowenstein thinks it’s too early to tell how the data breach will affect T-Mobile. A key question, he said, is whether any of the systems, policies, or parts of the cybersecurity apparatus were less robust than they should be – particularly given T-Mobile’s challenger brand.
Tied to vulnerability, Lowenstein cited competitor’s response as another factor.
“At this point, we still don't know whether this happened because T-Mobile was more vulnerable than other operators,” he said. “Competitors will only 'exploit' this in their marketing if it appears that T-Mobile had a particular vulnerability it shouldn't have had.”
Ho thinks a segment of subscribers could still bail on T-Mobile because of the lack of trust.
“T-Mobile has been trying to limit the damage by trying to be transparent,” Ho said. “The PR damage control could ameliorate this segment risk.”
The breach’s impact won’t be known until third-quarter 2021 earnings numbers are formalized, he added, or disclosed in press announcements beforehand.
Like Ho, Lowenstein pointed to transparency as key, including disclosures of what, why, how, and what’s being done to prevent future incidents.
“Customers just need to be assured that there is no greater likelihood this would happen on T-Mobile than on other operators,” Lowenstein said.
After its preliminary investigation, T-Mobile had said it reset all PINs on about 850,000 active prepaid accounts that were compromised and recommended all postpaid customers do the same. It’s also offering two years of free identity protection services with McAfee’s ID Theft protection service.
Multiple proposed class action lawsuits related to the breach have been filed in U.S. District courts since last week, including in the Northern District of Georgia and the Western District of Washington.