Whoops: T-Mobile Reveals Names, Real-Time Locations Of Customers’ Kids
T-Mobile has long been a hot mess on issues of security and privacy. Distracted by its problematic merger with Sprint, T-Mobile was hacked eight times in less than five years, leaking oodles of sensitive customer information onto the open web. The company was also a key player in gobbling up user sensitive location data to make money, then failing to adequately secure that data from third parties.
Now T-Mobile’s back with one of its worst privacy screw ups yet. T-Mobile sells a GPS service called SyncUP that lets parents monitor the locations of their children (one of several similar apps like Life360), then turns around and monetizes these vast troves of data.
Except that 404 Media was the first to report that an apparent bug with T-Mobile’s service resulted in users losing contact with their kids, and instead being shown the names, photos, and real-time location info of other peoples’ children:
“Jenna, a parent who uses SyncUP to keep track of her three-year-old and six-year-old children, logged in Tuesday and instead of seeing if her kids had left school yet, was shown the exact, real-time locations of eight random children around the country, but not the locations of her own kids. 404 Media agreed to use a pseudonym for Jenna to protect the privacy of her kids.”
…Jenna sent 404 Media a series of screenshots that show her logged into the app, as well as the locations of children located in other states. In the screenshots, the address-level location of the children are available, as is their name and the last time the location was updated.”
Great stuff, no notes.
The bug was made worse when the parent contacted T-Mobile, only to see no real interest on the part of the company to take the problem seriously. T-Mobile, once seen as a “consumer friendly” company, has increasingly behaved more and more like AT&T and Verizon after their merger with Sprint reduced an already muted motivation to compete on customer service.
As per tradition, T-Mobile began taking the problem semi-seriously once contacted by the press:
“Yesterday we fully resolved a temporary system issue with our SyncUP products that resulted from a planned technology update. We are in the process of understanding potential impacts to a small number of customers and will reach out to any as needed. We apologize for any inconvenience.”
As with so many modern companies, T-Mobile over-collects data, then doesn’t take the necessary steps to protect said data. It then lobbies U.S. lawmakers to ensure we don’t pass new privacy laws or shore up existing protections (as it did when Congress gutted the FCC’s fairly modest broadband privacy rules), and the cycle repeats itself in perpetuity.
The scandals get more and more comical and more and more dangerous (like the time right wing activists bought the phone location data of women visiting abortion clinics to target vulnerable women with health care disinformation), yet time and time again U.S. policymakers prioritize making money over public safety.
In a serious, functional country we’d have well-crafted, modern privacy laws that hold companies and executives accountable for repeated failures to protect consumer privacy and security. If you hadn’t noticed, we’re not a serious, functional country.