Speeds and features are important but a mobile network is only as good as its security stature, and T-Mobile US isn’t up to the task. The operator earlier this month suffered a data breach that exposed personal data on at least 54 million people.

Some of those people are professionals, including T-Mobile for Business customers, that rely on T-Mobile for connectivity. They, like anyone else, rightfully assume T-Mobile is properly storing only the most pertinent data on them and securing that personal information from cybercriminal intrusion and theft.

They would be wrong on that, and they wouldn’t be wrong to take their business elsewhere as a result. Maybe T-Mobile has learned its lesson and will start taking security seriously? Wrong again.

This marks the fifth publicly acknowledged data breach at T-Mobile in three years, and analysts describe it as the largest carrier breach on record. That pattern of negligence and worsening theft further emphasizes T-Mobile’s continued failure to tighten up its security.

The operator’s priorities remain elsewhere, and it shows. T-Mobile’s business is booming. It has the best spectrum position in the U.S., multiple meaningful leads on 5G globally, and it appears to be well positioned to command a leadership position through the entire 5G cycle.

Those efforts also put T-Mobile in position to finally break into the enterprise market in a more meaningful way. The operator’s business services unit has a current market share below 10%, and it intends to increase that up to 20% by 2026.

However, all that wind in T-Mobile’s sails doesn’t mean much if it loses trust with its users. Most of us gloss over these things because alternatives are nonexistent. It’s hard to keep track of all the companies, government agencies, and security tools, vendors, and specialists that fail to protect us. 

Who can be blamed for prioritizing the security of our personal data below more pressing matters like climate change or death by plague?

The problem for T-Mobile and its enterprise aspirations is that CIOs and CISOs have to worry about everything all the time. Taking unnecessary risks is not advisable in IT. Potentially exposing private business information is a surefire way to get fired with cause.

Maybe T-Mobile is “at the back of the pack” in the enterprise wireless market, as T-Mobile for Business EVP Mike Katz put it in a blog post earlier this year, for good reason. Its competitive pricing and 5G network infrastructure prowess notwithstanding, what has T-Mobile done to earn a bigger share of business customers?

It certainly hasn’t proven itself a trustworthy partner, nor has it done what’s required to protect itself and customers from what appears to be a relatively simple cyberattack. T-Mobile claims it was victim of a “highly sophisticated attack,” but the hacker John Binns told The Wall Street Journal he gained access with ease after discovering an unprotected router exposed on the internet.

“Their security is awful,” Binns told the newspaper, after claiming responsibility for the breach. A simple, publicly available tool allowed Binns to discover the weak spot, which he used to hack into the carrier’s data center in Washington, he said. The hacker accessed more than 100 servers with stored credentials about a week later, and stole personal customer information around Aug. 4.

T-Mobile publicly acknowledged the cyberattack on Aug. 16 and shared more details about the extent of its failings on Aug. 18. The operator finally alerted me, a T-Mobile customer, that unauthorized access to some of my information occurred on Aug. 20.

I’m sure most customers didn’t learn about the data breach until then either. And what’s T-Mobile doing to assuage concerns about this massive breach? Offering two years of free identity protection to any person who believes they may be impacted. 

“Ultimately this is pushing the responsibility for the safety of the data onto the user,” Forrester Research analyst Allie Mellen told me. “Instead of addressing the security gaps that have plagued T-Mobile for years, they are offering their customers temporary identity protection when breaches happen, as if to say: ‘This is the best we can do.’”

T-Mobile admits business customer information was also stolen, including business names, federal tax IDs, physical addresses, contact names, and phone numbers. Furthermore, the carrier said personal information including names, drivers’ licenses, government identification numbers, social security numbers, dates of birth, addresses, phone number(s), and device identifier information was exposed.

The operator maintains financial information, passwords and PINs were not accessed during the attack. T-Mobile’s commitments don’t carry much weight, considering the scope and damning details about how the attack reportedly occurred, but it claims dedicated resources are conducting business account reviews. 

“We’re relentlessly focused on taking care of our customers — that has not changed,” the operator said in a statement on its T-Mobile for Business site. “We’ve been working around the clock to address this event and continue protecting you, which includes taking immediate steps to protect all individuals and companies that may be at risk.”

Shallow words that matter little now that the damage is done. Better luck next time. Maybe. 

If T-Mobile can’t be trusted to protect private information, there’s little chance enterprises will adopt 5G services from the operator without some major concessions and meaningful improvements in security. And even then, especially if you’re an IT decision maker, why risk it?