- T-Mobile’s new Cyber Defense Center brings 200+ cybersecurity professionals under one roof
- A company-wide “no passwords” policy and YubiKey rollout have slashed account compromises, boosting both security and employee productivity
- Ongoing hacker events and supplier risk checks reflect T-Mobile’s push to keep hackers at bay
BELLEVUE, WASHINGTON—One thing that you discover after spending a little time at T-Mobile’s new Cyber Defense Center is that unicorns are a real thing here.
They’re everywhere. They’re on stickers that employees create and put on laptops. They’re featured on sweatshirts strewn over chairs. There’s even a life-sized unicorn with a rainbow tail, a transplant from a New York City pride parade that now stands proudly on display on the fourth floor of T-Mobile’s campus.
Company legend has it that the cyber team wanted to create a message that wasn't super techie but would warn users away from malicious websites. Rather than try to communicate a bunch of mumbo jumbo, they came up with, "Unicorns are real but this website is not."
That caught on.
“Then we sort of ran with it to the extreme and it became our unofficial, official cybersecurity mascot,” said SVP of Cybersecurity Mark Clancy.
It’s no secret that T-Mobile has seen its share of data breaches and unfortunate cyber incidents, having experienced at least nine hacks between 2018 and 2023. Several investigations, hefty FCC fines and expensive lawsuits ensued.
In 2023, the company hired Jeff Simon, a cyber security expert with expertise in the banking industry, as chief security officer; he has since been promoted to EVP and chief information officer.
How T-Mobile attacked phishing
One of the first things Simon did was institute a program to address phishing, which had become a big problem among employees, by implementing a company-wide “no passwords” policy. It was not a simple task getting rid of passwords for thousands of employees and contractors, but they did it in waves to make for a smoother transition, Clancy said.
It also meant equipping all employees – domestic and international – with a YubiKey device, a tiny little credentialing device that employees use to access the computer system.
The exercise was worth the effort. Prior to going password-less, “we had lots of workforce accounts compromised, and now we go hundreds and hundreds of days in between compromises of accounts,” Clancy said. “It’s just dramatically reduced the exposure we've had, and it stopped the intrusions at the very early stage. It's been hugely effective for us.”
The productivity of people working in T-Mobile’s stores went up because, for example, “they're not waiting on a tech support bridge to get their password reset because they've been on PTO for two weeks,” he said. “We got better productivity and better security. Usually you get one, not both.”
Since going password-less, T-Mobile also instituted a program through Clear that further enhances security by using facial recognition for employee identification. Now they’re extending that concept to the consumer front, where T-Mobile is using facial recognition in the T-Life app for additional, easier security.
These are just some of the ways T-Mobile is cracking down on bad actors trying to infiltrate its systems. This week, T-Mobile unveiled its new Cyber Command Center, where more than 200 employees work ’round the clock to monitor threats. The state-of-the-art facility opened about two weeks ago.
The facility includes a Cyber Lab, a dedicated space where T-Mobile’s cyber gurus test tools like SIM dialers and inspect products – think phones, femtocells, routers – before they’re certified for sale to the public. Sometimes they’re inspecting after-market products because things can change between pre- and post-production. They’ll use an x-ray machine to detect abnormalities – basically looking for things that shouldn’t be there, like a second processor that could do bad stuff.
Last week, Clancy’s team was in Germany to introduce the crowdsourcing security platform BugCrowd to colleagues at parent company Deutsche Telekom, where they held a Bug Bash, which is part of the Bug Bounty program. That’s where hackers are invited to find vulnerabilities in the network. They get paid based on the severity of the problems they identify.
“They found a few new things, nothing huge,” Clancy said. “But that continual probing by ourselves to attack ourselves before the other bad guys do has also been super helpful,” he said. “Getting up front on that problem has taken a lot of risk exposure off the table.”
So, does all this mean T-Mobile’s streak of data breaches is in the rear view?
“A little bit of knock on wood always right? But yes, the investments we made, especially in identity and zero trust, dramatically change the trajectory,” he said. “We live in a complicated world, so there's no 100 percentages here, but we've gone hundreds of days between minor incidents [with suppliers] and haven't had major incidents since we made those investments.”
Given that security is of utmost concern to most enterprises, it makes sense that T-Mobile’s new Executive Briefing Center is connected to the Cyber Defense Center.
These facilities carve out a necessary focus in today’s day and age – more so as geopolitical instability and state actors focus on U.S. infrastructure and enterprises, said Bill Ho, analyst at 556 Ventures.
“These centers signal to potential customers that their data and T-Mobile’s cyber defense will meet their needs. As AT&T and Verizon likely have similar capabilities, it’s up to the customers to determine each company's differentiation and how each meets their unique requirements,” he told Fierce.
T-Mobile suppliers under the microscope
Asked the age-old question: What keeps him up at night? Clancy turned that around and quipped that getting to sleep is easy. It’s the things that wake him up at 3 a.m. that are troublesome.
Those include issues like T-Mobile’s suppliers, large and small, and there are many of them.
“We've gotten our act to a highly defensible place and so now the way to get to companies like a T-Mobile is to go through the suppliers who aren't all there, and we have a third-party risk team who's focused on that,” he said.
One way to address the supplier issue is through the aforementioned Bug Bounty program, where vendors pay the bounty if a flaw is found in their product. The researcher who finds the problem gets rewarded.
“It's pretty transparent. We'll pay out prizes essentially for finding flaws. So small dollars for small flaws, big dollars for big flaws,” he said.
Clancy said he also worries about the little things, like “the thing that we know we should have done and just forgot about. The little niggling detail kind of thing.”
Cyber reflects T-Mobile mantra
There’s a magenta sledgehammer in one corner of Clancy’s office. It was used to symbolically break ground on the new Cyber Defense Center, which brings together those 200 or so members of T-Mobile’s cyber security team who, up until about two weeks ago, were spread over several different facilities in the Seattle area.
Now they’re all together in one big, state-of-the-art facility.
“We keep going, like our corporate mantra: ‘We won't stop.’ That’s very much how we are in cyber,” Clancy said. “We just keep going forward.”
Of course, it just so happens, one of the T-Mobile stickers features a sledgehammer aimed at smashing passwords – and it’s held by what else? A unicorn.
This article was updated October 17 to clarify T-Mobile’s work with Bugcrowd at Deutsche Telekom.