This story is over 5 years old.

This Hack Isn’t T-Mobile’s Fault, It’s the Whole Cell Phone Industry’s

A credit-based system of contracts and phone leases mean too many companies have your social security number.
October 2, 2015, 6:01pm

The breach that has put the social security numbers of nearly 15 million T-Mobile customers in the hands of hackers has very little to do with T-Mobile, and a whole hell of a lot to do with the paradigm cell phone carriers have used to systematically screw you over for the last decade or so.

Every time you sign up for a new two-year cell phone contract or attempt to lease a phone from a carrier in the United States, the provider requests a credit check. Because these are cell phone network companies and not financial institutions, the carriers pass your data—social security number included—to a third party to run the credit check. T-Mobile used Experian, which is one of the largest credit check companies in the world and should, presumably, be good at keeping your data private.


It wasn't. Experian got hacked, and most current or recent T-Mobile customers are now in a lot of trouble.

That brings us to the real problem: The US cell phone industry has operated on a system of credit ever since it began.

"Records containing a name, address, Social Security number, date of birth, identification number (typically a driver's license, military ID, or passport number) and additional information used in T-Mobile's own credit assessment were accessed," Experian wrote in a blog post.

That is very bad. That "no payment card or banking information was obtained" is almost beside the point—if you've got that other info, you can quite easily steal someone's identity.

Still, this is probably not really T-Mobile's fault, which probably doesn't make anyone affected feel any better. Another thing that won't make you feel any better: Your SSNs were encrypted, but that "encryption may have been compromised," T-Mobile wrote in a blog post.

Unless companies begin literally hacking each other to test their contractors' security practices (T-Mobile says it performed periodic reviews of Experian's security systems), there's not ever going to be a way to totally ensure data protection.

That brings us to the real problem: The US cell phone industry has operated on a system of credit ever since it began.

Cell phone contracts have changed, but it's probably too late for any of it to matter.

I can't fault a single company for asking another to perform a credit check—by all accounts, Experian was supposed to be a huge, secure company. But you can fault a system that asks you to hand out your social security number at every turn. How many companies have my social security number? I don't know! I've had to give it out repeatedly over the course of my entire life—to would-be landlords, employers, and, yes, cell phone companies.

For years, cell phone companies subsidized the price of your cell phone; i n return, you had to sign two year contracts. In exchange for a cheap iPhone, you got locked into these draconian arrangements (unless you went with a pay-as-you-go carrier, as few people have, there was generally no alternative to this). If you were unable to pay your bill, T-Mobile or Verizon or whoever would be forced to send debt collectors after you or eat the cost of the phone. It's understandable that they'd want to sell contracts only to people who could afford to eventually pay off the cost of the phone (by being locked in for two years).

This has changed recently, sort of, with the help of T-Mobile's no contract "uncarrier" campaign. Few companies are still subsidizing phones, but they're still taking your SSN numbers and performing credit checks, because many are now leasing iPhones to you rather than selling them to you at a discount.

The no-contract system is still preferable to the old one, because now you at least have the option of buying your phone outright and avoiding a credit check. The problem, of course, is that it's probably too late for any of it to matter.