Data & Practice Hacks

A data hack affecting millions of T-Mobile customers recently came to light when on August 15, 2021 a hacker posted on a dark web forum that it was offering the social security numbers and drivers license numbers of about 30 million people from T-Mobile internal databases for about $270,000. 

T-Mobile finally acknowledged that the company had suffered a cybersecurity incident, or what we generally refer to as a “data breach.” It was first reported on Vice, without a word from T-Mobile until a couple of days later, when it finally acknowledged it had looked into the cybersecurity incident, determined that there was a data breach, and cut off access to the hackers so they could no longer go through its systems.

In the world of cyber security and data breaches, what happens in the first 48 hours or so is paramount to ensuring that customer information is safe. Hackers can sell this information in the blink of an eye using Bitcoin, and then we don’t know where the information has gone or how consumers will be affected in the future. 

When the news broke, and even though T-Mobile had not yet sent notification out to any consumers, Amy Keller, Partner and Leader of DiCello Levitt Gutzler’s Cybersecurity and Technology Group, launched an immediate investigation. Within a few short days, the firm had been contacted by T-Mobile customers concerned that their data might have been impacted and were still waiting to hear from T-Mobile whether their sensitive information was involved in the data breach.

By the time T-Mobile responded, the damage was largely done. The hackers had obtained information on at least 30 million consumers, and once they exfiltrate it from a company’s databases, you can never completely get it back. 

There has been some discussion about ransomware in recent years and increased incidents of hackers taking information from companies. From a traditional perspective, where a hacker would encrypt the information and leave it on company servers, hackers are now exfiltrating information and demanding a ransom for the safe return of that data. Even in those instances when companies pay a hacker, there’s no guarantee that the information is actually destroyed.

Hackers can quickly share the information with other entities. When they show proof of destruction, it’s only a guarantee that the information has been destroyed on a particular server. 

Many companies have best practices in place to engage in data minimization, which requires companies to delete information that they no longer need.

The hacker allegedly has information on consumers going back to the 1990s. It might make sense that T-Mobile would want to retain some kind of contact information to potentially sell goods or services to former customers, but there’s no reason why the company needed to keep social security numbers or driver’s license numbers for 30 years. It’s almost silly, especially if T-Mobile was keeping the information on a database that potentially wasn’t available to be patched or had reached end of life as most of these databases with outdated information are. Companies should be deleting information that they no longer need and that this information goes back so far is shocking. Unfortunately, more and more companies don’t seem to have a handle on the data in their custody, and they’re keeping it on outdated systems. 

Until we start asking T-Mobile directly, we won’t know if it held onto the customer data out of incompetence or for some other purpose. According to Keller, “If you aren’t doing business with people they’re not your customers. There is no reason why you should be hanging onto their social security numbers and driver’s license numbers without informing them.”

The hacker also allegedly stole customer pin codes from an encrypted, plain text file that could give potentially unlimited access to customers’ accounts. T-Mobile’s damage control for the problem consisted of telling people they should update their pins but apparently the company did not proactively deactivate them. 

Cybersecurity best practices say pins and passwords should always be encrypted with the highest levels of security. Companies routinely impose upon consumers rather burdensome password requirements–letters, numbers, uppercase, lowercase, and a symbol–and then they don’t use that same kind of security in protecting those passwords.

More and more hackers are becoming sophisticated and understanding ways to run queries and to figure out where these backdoors are for accessing sensitive information. If companies don’t have a good handle on where they’re keeping information or how it’s kept, those hackers will be successful as they continue to poke around for vulnerabilities. 

This hacker was pretty brazen about it, in essence telling potential buyers, “I’ve already got it backed up in multiple places. Don’t worry if T-Mobile shuts me down.” That demonstrates why, if someone is posing as a hacker who’s demanding a ransom, you can’t trust cybercriminals to delete information. It is usually saved on multiple sources.

Once hackers get ahold of information, it’s incredibly valuable. And they’re going to try to extract value from that information because they’ve spent a lot of time trying to get the information and it’s worth a lot of money for them. 

Blackbaud Hybrid Data Breach and Ransomware Attack.

Another similar cybercrime involved a hybrid data breach and ransomware attack on Blackbaud, a company offering cloud based solutions to non-profits. Blackbaud is not the typical ransomware case where an entity encrypts information on your machine and then demands a ransom for the security key. The hackers did try to encrypt the information, but they also were able to exfiltrate data after making a copy. Blackbaud paid the ransom for assurances from the cybercriminal that the data had been deleted.

Plaintiffs are asserting that you cannot trust the word of a cybercriminal and they should be entitled to compensation from Blackbaud, even though Blackbaud says that the cybercriminal deleted the information. 

There have been class actions filed all throughout the country against Blackbaud related to this data breach. The cases were consolidated in the district of South Carolina before Judge Michelle Childs. She’s taking a unique approach to the MDL. First of all, she appointed a leadership team that represents the most diverse leadership team ever appointed in MDL in history, giving opportunities to women and people of color who previously did not have opportunities to litigate these cases. 

There’s good reason to actively seek out these lawyers and ensure that they’re given opportunities. When you represent a class of people, you need to make sure that the lawyers representing you look like you and are familiar with your experiences. Otherwise there are huge blind spots in the representation and the type of relief that you would negotiate for the people you’re representing. So having those experiences and having a diverse slate of attorneys who represent you is vitally important so they understand what clients go through on a day to day basis from different backgrounds, and having diverse attorneys involved ensures that we’re able to provide that level of representation.

Judge Childs is also taking a segmented approach on motion practice. She had Blackbaud file three separate motions to dismiss. The first motion was on jurisdictional standing, asking whether plaintiffs’ injuries are sufficient to state a claim in federal court under Article III of the United States Constitution. The second motion examined statutory claims, asking whether plaintiffs had sufficient grounds to state claims under certain consumer protection statutes, including the California Medical Information Act and the California Consumer Privacy Act. The third motion to dismiss as to common law causes of action will be heard this month. 

The Blackbaud case is the first major decision on a data breach regarding the CCPA and a motion to dismiss.

Protections Under the California Consumer Privacy Act.

The California Consumer Privacy Act (CCPA) was enacted in response to a ballot initiative and has two parts to it. One part deals with the nuts and bolts of privacy. For example, how information can be used and certain disclosures that have to be made. As it pertains to privacy, consumers don’t have a private right of action. So if a company violates the CCPA as it pertains to that part of the statute, consumers have to leave it to regulators to handle, and the California Attorney General is in charge of enforcing that portion of the statute. 

The second part of CCPA relates to data security, and consumers do have a private right of action relating to data breaches regarding certain types of information, such as social security numbers, driver’s license numbers, account numbers, and passwords for those account numbers. 

The private right of action is really where the rubber meets the road. A few other states have passed these types of laws, and there are other states looking into passing similar laws as well. Many states have been reluctant to pass statutes containing a private right of action. Consumers actually do want a private right of action for data breaches because they want to be able to enforce these laws against companies, and they want to be able to obtain meaningful monetary relief for data breaches.

The problem, of course, is the lobbyists. The corporate lobby is very powerful in each of these states, convincing legislatures that consumers should not have a private right of action as it pertains to data breaches or privacy violations. Usually when you see a consumer privacy statute passed, it doesn’t include a private right of action but is left to the attorney general of that state for enforcement. Then, the legislature doesn’t give the attorney general nearly enough budget to do the enforcement work. These statutes end up being toothless tigers that don’t really help consumers. 

Most CCPA cases have been settling. We don’t see a floodgate opening up due to the narrowly defined scope of what data is actionable under the CCPA.

Whenever the defense bar, or the chamber of commerce, puts out the narrative that it’s only going to benefit plaintiffs’ attorneys, that really doesn’t bear out in the actual data that’s presented. We have not seen a ton of cases involving the CCPA, and the cases that have been filed are worthwhile and pertain to information that is really important to consumers.

Problems With Existing Notification Procedures.

Data breach notification fatigue is something the Sedona Conference Working Group 11 is exploring. Plaintiffs attorneys, defense attorneys, and in-house attorneys are talking about how data breach notification statutes are basically worthless because they don’t mandate that you have to provide consumers with information that is meaningful. 

When consumers get these notifications, they say information that might have been disclosed about you may include certain data. Thankfully the credit card brands have agreements with most merchants, so that if a certain credit card is involved in a data breach, they send you a new one. But you don’t get a new social security number. If consumers get a data breach notification letter that says their social security number may have been compromised, consumers don’t know what to do with that. 

Consumers are not empowered with enough information on how the credit reporting industry works and how to protect themselves. What does it mean to freeze your credit? How can data breaches impact your credit? None of that is explained in these data breach notification letters and consumers have no idea what to do with them other than either throw them away or get even more worried about having become a victim of identity theft.