Update: T-Mobile USA officials have confirmed that the records of 47.8 million current, former and prospective customers were stolen in a “highly sophisticated cyberattack” late last week.
That number is half what hackers had claimed, but still substantial, and in some case the records contained personally identifiable information (PII) like social security numbers, birth dates and driver’s license information.
Vice reported in recent days that hackers had told them that they had stolen the data – including phone numbers, names, Social Security numbers, physical addresses, driver license information, unique IMEI numbers (a 15-digit number unique to each device) and IMSI numbers (which identifies each user of a cellular network) – and that they are selling the information.
According to Vice, the hackers were selling data containing 30 million Social Security numbers and driver licenses on an underground forum, asking for six Bitcoin – or about $270,000 – for the information. The hackers said they were privately selling the rest of the data.
Entry Point Closed, Investigation Underway
T-Mobile officials initially said they were investigating whether there was a compromise of company servers and later confirmed in a statement that there was a breach, but cautioned that “we have not yet determined that there is any personal customer data involved.”
“We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” they said.
The company officials said the investigation “will take some time,” and that until the assessment is completed, they can’t “confirm the reported number of records affected or the validity of statements made by others.”
Hackers Get In Via GSSN
The attack first came to light on a Twitter account @und0xxed that rolled out details of the breach. Vice was able to communicate with the attackers, who said that T-Mobile engineers apparently had learned about the compromise and had closed their backdoor avenue to the servers but added that by that time it was too late. The attackers already had stolen the data and had backed it up at multiple sites.
BankInfoSecurity reported that it had communicated with one person involved in the T-Mobile attack, who said the attackers got into the T-Mobile systems when the giant carrier left a gateway GPRS support node (GSSN) – which is a router between the company’s network and the internet – misconfigured, which exposed it to the internet. The attackers had access to the T-Mobile systems for two to three weeks before access was shut down Aug. 14.
After that, they shifted focus to T-Mobile’s LAN and then to more than 100 Oracle databases that held user data. The data was taken from two T-Mobile data centers.
Someone on the und0xxed Twitter account told Krebs on Security that T-Mobile USA prepaid and postpaid customers were impacted by the breach. Customers of other telcos like Sprint that are owned by T-Mobile were not affected.
Businesses Need to Step Up Security
Jack Chapman, vice president of threat intelligence at email and data security software maker Egress Software, told eSecurity Planet that if what the attackers say is true, the breach could be one of the most serious seen so far this year.
“The data leaked in this breach is reported as being already accessible to cybercriminals, who could now weaponize it to formulate sophisticated phishing attacks targeting the victims,” Chapman said. “In light of this, I would urge any customers who have been affected by this breach to be wary of any unexpected communications they might now receive, whether that’s over email, text messages or phone calls. Follow-up attacks may utilize the information accessed through this data breach to trick people into sharing more personal data that can be used for identity and financial fraud.”
It’s also the latest demonstration of the need for organizations like T-Mobile to take responsibility for the large amounts of personal data they hold and to ensure the right technology is in place to protect it against attacks.
According to some reports, the attackers claim that the hacking of the T-Mobile systems was in response to espionage activities by the U.S. government, something that indicates a change of thinking for some bad actors, according to Hitesh Sheth, president and CEO of cybersecurity vendor Vectra.
“They do not seem to be demanding ransom,” Sheth told eSecurity Planet. “If true, it further blurs the lines in cyberwar between government and private assets. Every business has to consider what kind of prize it, too, might represent to threat actors out to score political points.”
He added that “if privately owned infrastructure is going to suffer retaliation for things government does, it’s not only imperative that businesses shore up their cyber defenses. It’s vital that deeper, smarter public-private partnerships define cybersecurity norms, roles and responsibilities. Like it or not, when a critical enterprise is a cyber-target, it’s playing a role in national defense.”
T-Mobile a Repeat Target
T-Mobile has been a repeat target of cybercriminals over the past several years. In 2018, a compromise of T-Mobile systems resulted in personal information of 2 million customers being stolen. A year later, prepaid customer data – including billing addresses, phone and account numbers and wireless plans – was breached, and in 2020, employee and customer data was stolen. In January, T-Mobile reported that someone gained unauthorized access to information from some T-Mobile accounts.
Data breaches continue to be a scourge of enterprises. A report by the Identity Theft Resource Center found that in the first half of 2021, the number of publicly reported data breaches (491 compromises) in the United States in the second quarter was up 38 percent over the first quarter, though the number of individuals impacted by the breaches – 52.8 million – was down 20 percent.
According to IBM’s annual Cost of a Data Breach Report for 2021, there has been a 10 percent increase in the average total cost of a breach between 2020 and 2021, from $3.86 million to $4.24 million. According to Big Blue, costs were much lower for organizations that had a more mature security posture. Those who were behind in such areas as security artificial intelligence (AI) and automation, zero trust and cloud security sustained higher costs.
Further reading: How Zero Trust Security Can Protect Against Ransomware