Skip to main content
CrankySec

The Cost of Doing Business

Hello, friends! It's been a hot minute, but we were busy working on a little Cranky project that you'll need to check out our Discord to know more. For now. It's not really a secret, but we're not quite ready to spread the news yet. If you're not there, do join.

On to the thing I wanted to write about, good buddies! So, last week the United States Federal Communications Commission reached a settlement with T-Mobile — a local mobile phone carrier for those of you hailing from "Not the US". Attached to this settlement, which we will abso-fucking-lutely discuss in a jiffy, is a consent decree. This is just legalese for "this settlement is valid if, and only if, you do the things we wrote in this other document here ." The consent decree states that:

T-Mobile suffered data breaches in 2021, 2022, and 2023

And that:

Combined, these breaches affected millions of current, former, or prospective T-Mobile customers and millions of end-user customers of T-Mobile wireless service resellers, which operate on T-Mobile’s network infrastructure and are known as mobile virtual network operators (MVNOs).

In a very rare and welcome case of "US Federal Agency calling it like it is", the FCC quoted the White House and added this to the consent decree:

When organizations that have data on individuals fail to act as responsible stewards for this data, they externalize the costs onto everyday Americans.

Which, duh!, but also it's good to see the government acknowledging the very concept of "externalities". Way to go, Commish! Anyway, the FCC has a not-so-laundry-list of "demands" for T-Mobile, as follows:

(i) Corporate Governance: designating a Chief Information Security Officer who will report regularly to the Board of Directors on cybersecurity matters; (ii) Modern Zero-Trust Architecture: moving towards a “zero trust” security framework and segmenting its network to limit the blast radius when a breach occurs; (iii) Identity and Access Management: implementing phishing-resistant multifactor authentication (MFA) to secure its networks and systems; (iv) Data Minimization and Deletion: adopting data minimization, data inventory, and data disposal processes designed to limit its collection and retention of customer information; (v) Critical Asset Inventory: identifying and promptly tracking critical assets on its network to prevent misuse or compromise; and (vi) Independent Third Party Assessments: conducting independent third-party assessments of its information security practices.

You can look at that and — rightfully so — think to yourself: Wait a fucking minute. What? They didn't have a CISO??? They didn't implement the barest of the minimum, garden-variety, run-of-the-mill cybersecurity controls? What the fuck kind of business is that? The answer to that is "almost every business", I'm afraid. For reference, here are their executives. No CISO to be found as of today, October 1st, 2024.

So, to recap, T-Mobile runs a shit shop when it comes to cybersecurity, loses their customers' data, learns nothing, loses the data again, loses it again for good measure, and it takes the god damned Feds to teach them how to cyber? Get the hell outta here, bro. But, wait! There's more!

We can't have that kind of shenanigans go unpunished, right? As an incentive, the FCC wants T-Mobile to part ways with some cash, too. How much, you ask? This much:

To settle these investigations, T-Mobile will pay a civil penalty of $15,750,000 and commit to spending an additional $15,750,000 over the next two years to strengthen its cybersecurity program, and develop and implement a compliance plan to protect consumers against similar data breaches in the future.

That's right. A $15,750,000 penalty, and "an additional $15,750,000 over the next two years to strengthen its cybersecurity program". The last part there being legalese for "I'm going to do your budgeting for you. Ferda!" Sounds like a lot of money, right? Wrong. According to this, T-Mobile's CEO Mike Sievert made $37,000,000 in 2023. Alternatively: the CEO of a company that loses their customers' data over, and over, and over again due to hot garbage cybersecurity makes more that twice the money the FCC is telling them to spend over the course of two years to "strengthen its cybersecurity program". We're talking about a company with a market cap of 238 BILLION dollars, 67 THOUSAND employees, and, according to their own numbers, over 120 MILLION total customers.

Compared to this, a slap on the wrist would be an act of unspeakable violence. But here's the deal, though: after years of regulatory capture, it is extremely hard for any US regulatory agency to stop corporate fuckery. That's very clear, especially now that the Chevron Deference went to shit because six assholes in black robes think that corporations are the purest entities in God's green earth, and even looking at them funny is tantamount to spitting on the face of America itself. U S A! U S A! U S A!

So, if your identity has been stolen because some shit company that can't be bothered to even hire a CISO to pretend to care lost the information of their 120 million customers, rest assured that there's absolutely nothing you can do about it, so, relax. But also, fuck you. Enjoy your trash internet and dropped calls.


P.S. Don't forget to visit our store!