Almost half of all T-Mobile customers in the USA were victims of a huge data breach. Deutsche Telekom, as the parent company, has been violating its self-imposed obligations to data protection ever since.
With more than 100 million customers in the United States, T-Mobile has massive amounts of personal data at its disposal. As a subsidiary of Deutsche Telekom, it could even be the largest amount of data of any company whose parent company is based in the European Union. This is what digital activist and travel blogger Edward Hasbrouck from California draws attention to in his latest entry.
However, T-Mobile USA is far less willing to provide information than Deutsche Telekom, which, for example, had to hand over extensive movement data to the then Green Party MP Malte Spitz eleven years ago – but only after a settlement in a lawsuit. Following Spitz’s example, Hasbrouck had also asked US T-Mobile what information was stored about him. The company, however, refused to answer and is now refusing further requests from the blogger.
Social security number and driver’s licence data leaked
Almost exactly a year ago, T-Mobile confirmed reports that hackers had stolen personal data from over 40 million current or former accounts for pre-paid and post-paid services. The data allegedly included first and last names, dates of birth, national insurance numbers, ID cards and driver’s licences.
The company later discovered that a further 7.8 million accounts had been affected. According to the company, “telephone numbers and IMEI and IMSI information” were also compromised. But it did not stop there.
In the course of the investigation, T-Mobile said it discovered another 5.3 million customer records that had been “illegally accessed”. However, no information from ID cards was obtained from these accounts. However, T-Mobile writes on its website that it still has “no indication that the data contained in any of the stolen files included any customer financial information, credit card information, debit or other payment information”.
Notification only after two months
Hasbrouck was among the customers affected, but the blogger only received notification of the hack in October last year. According to the notice, which was two months late, T-Mobile had “determined that unauthorized access to your personal information has occurred, including your name, driver’s license/ID information, date of birth, and Social Security number.”.
However, T-Mobile “is continuing to take action to protect everyone at risk from this cyberattack, including those additional persons we recently identified,” its website said. This included “to millions of customers and other affected individuals”.
However, T-Mobile does not want to specify which data on its customers is stored at all and could thus have been leaked. The blogger Hasbrouck, who wanted to assess the threat posed by the hack and mitigate the damage caused by this data breach, also had to learn this. Moreover, Hasbrouck has no idea how the company could have got hold of his driving licence data or national insurance number and why they are kept for over a decade.
Deutsche Telekom wants to increase stake to over 50%
Currently, Deutsche Telekom holds a majority stake of 48.8% in US-based T-Mobile. According to a Reuters report last week, this is to be increased to over 50%. CEO Timotheus Hoettgas said this was “our most important strategic project at present”. But according to its own list, the German company already has a 64.78% share in the US subsidiary through also indirect holdings.
With such a strong shareholding, the US company would also have to comply with the guidelines on transparency and data protection propagated by the German Telekom Group, says Edward Hasbrouck. That is because these rules apply to all Telekom Group companies worldwide. “We give our customers access to the many possibilities of this world. As a trustworthy partner, we accompany them on this path – and also ensure that no one is left behind,” Deutsche Telekom advertises its brand. This applies “in Germany, our home market, and in around 50 countries around the world”.
The globally active company has laid down its principles for data processing in a “Binding Corporate Rules Privacy”. Article 22 of these rules stipulates, for example, the right to information for all customers of the Telekom Group. According to these rules, “data subjects” have the right to “contact any company processing their data and to request information on all personal information stored about them.
T-Mobile US did not sign “Binding Corporate Rules Privacy”
After being questioned, Deutsche Telekom responds that the “Binding Corporate Rules Privacy” are only mandatory for those companies of the Deutsche Telekom Group “that have signed up to them and put them into effect in a legally binding way”. “That is, when national or regional laws and the legal framework in the respective country allow them to come into force and the company then implements them.” T-Mobile US had not done this.
Deutsche Telekom justifies why T-Mobile US did not join the “Binding Rules” and why Deutsche Telekom could not push for this with stock corporation law. “Shareholders of a listed company are not allowed to issue instructions to the company, and the same applies to the supervisory board. The company is managed exclusively by the board of management, which must be guided by the interests of the company,” Telekom said. Therefore, it is also forbidden to enforce Deutsche Telekom’s interests “via members of the board of management who have been delegated, for example”.
Deutsche Telekom says it is unable to get its US subsidiary to comply with what should be binding data protection rules. But T-Mobile US follows the applicable national and regional laws and regulations when providing information, Deutsche Telekom explains. The company applies the California Customer Privacy Act to the entire US company, according to the statement. This is considered the “strictest data protection law in the USA”.
Binding corporate rules a “farce”
However, the German corporate headquarters refuses to help Hasbrouck in the United States to get his right of access. The German-based company, like T-Mobile, does not intend to answer any more of Hasbrouck’s requests in the future.
“These actions appear to violate both U.S. and German laws against breach of contract, truth in advertising, and fraud”, Hasbrouck writes in its blog post. It also calls into question the implementation of the EU’s General Data Protection Regulation, he says.
Deutsche Telekom writes that it has “always explained the reasons to Hasbrouck in detail, comprehensively and transparently”. “Since the legal situation is unchanged, there is also no change in the facts”, it says. “Thus, our already addressed comprehensive answers to Mr Hasbrouck are valid. We have communicated this to Mr Hasbrouck in a friendly and binding manner”.
According to Hasbrouck, the matter is a test of the applicability of European data protection rules to the US subsidiaries of EU-based companies. In the case of the Telekom Group, however, the binding corporate rules “turned out to be a farce”.
Update: Allegedly, my request for a statement by e-mail of 15 August did not reach Deutsche Telekom before the article was published. The group had complained about this and asked for its statements to be published. These have been inserted and amended at the appropriate places in the article. I have removed the passage which (correctly) said that Deutsche Telekom had not reacted.
Image: Wasn’t meant to be: the motto of the German Telekom group (Deutsche Telekom).