> Many companies underestimate threats until something like this happens
Speaking from my experience, many don't understand the threats even after an incident. The reaction is often to add 'more security' under any name. More restrictive policies, more scanning, more layers of MFA - just blindly layering on things because it's seen as 'more secure' without properly understanding how it affects risk is an awful approach to managing security.
And I would say T-Mobile not only doesn't understand the threats after their many data breaches, they have continuously failed to improve Cybersecurity.
They have an incredibly crusty, buggy billing system written in PowerBuilder, and I swear it's a holdover from the Voice stream days
Speaking from my experience, many don't understand the threats even after an incident. The reaction is often to add 'more security' under any name. More restrictive policies, more scanning, more layers of MFA - just blindly layering on things because it's seen as 'more secure' without properly understanding how it affects risk is an awful approach to managing security.