T‑Mobile announced its fourth data breach within the last three years. T‑Mobile, which completed a merger with Sprint in April 2020, also disclosed incidents that occurred in March 2020, November 2019 and August 2018.
A fourth announced data breach in three years impacting an estimated 200,000 customers is not an encouraging security track record by one of the largest telecoms carriers in the US. Though the event in aggregate may be met with little more than a shoulder shrug by customers and no material regulatory action will be taken by the FCC, it is not an encouraging sign for either customers that care about the security and privacy of their data or shareholders.
It is notable that three of the four announced breaches occurred prior to the completion of the Sprint merger in April 2020. This is evidence of less than stellar cybersecurity management prior to the merger.
Why is that relevant? Cyber risks are an increasingly material factor in M&A transactions for the acquiring firm. Cyberhedge models have long identified that the cyber governance performance of an acquiring company tends to decline post-acquisition. Marriott and its 2018 breach that stemmed in part from the Starwood acquisition, and the United Technologies—Raytheon merger are examples of the financial risks that result from heighted cyber risks created by M&A.
Poor cyber heading into a larger merger tends to exacerbate security problems—something T‑Mobile shareholders should have an eye on.