T-Mobile Reveals More Location Data Abuse Following Questions from Sen Wyden

In response to questions from Sen Ron Wyden (D-OR), T-Mobile has revealed another case of abuse, in which a “bad actor” acquired location information without consumer consent. “It is now abundantly clear that you have failed to be good stewards of your customers’ private location information,” Sen Wyden wrote in another letter March 13 addressed to all of the major telecoms. In the newly revealed incident, in Aug 2014, LocAid—a company that aggregated location data from the telecoms and then sold it onto other clients—informed T-Mobile it was suspending the account of a particular customer called Freedom Telecare. This was “due to an identified vulnerability in the consent mechanism,” T-Mobile's letter adds. “There was suspicion that a bad actor, who was a paying customer of Freedom Telecare, had acquired location information without customer consent, but review of the evidence could not confirm improper disclosure of location data,” the letter reads. The vulnerability was fixed and then the service re-enabled, it adds. In his letter March 13, Wyden asked AT&T, Sprint, T-Mobile, and Verizon to list all incidents since Jan 1, 2010, in which a third party fraudulently obtained location data. He also asked the telecoms to confirm whether they had reported each of these incidents through the Federal Communications Commission Data Breach Reporting Portal, which they are required to by law.