Edward Gately | Channelfutures.com »
One cybersecurity expert said this breach could involve all T-Mobile customers past and present.
T-Mobile is investigating a reported breach in which a hacker claims to be selling the personal information of over 100 million of its customers.
The T-Mobile data breach was first reported by Vice, a U.S.-based digital media outlet. It said a forum post claims to be selling a mountain of personal data. The forum post itself doesn’t mention T-Mobile. However, the seller reportedly said they have obtained data related to over 100 million people. In addition, the data came from T-Mobile servers.
The data includes social security numbers, phone numbers, names, physical addresses, driver licenses information and more, the seller said.
T-Mobile Working ‘Around the Clock’
T-Mobile sent us the following statement:
“We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed. We take the protection of our customers very seriously. And we are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims. And we are coordinating with law enforcement.”
“We have determined that unauthorized access to some T-Mobile data occurred. However, we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed. And we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed. This investigation will take some time, but we are working with the highest degree of urgency. Until we have completed this assessment, we cannot confirm the reported number of records affected or the validity of statements made by others.”
“We understand that customers will have questions and concerns, and resolving those is critically important to us. Once we have a more complete and verified understanding of what occurred, we will proactively communicate with our customers and other stakeholders.”
Retaliation for U.S. Cyber Espionage Activity?
“T-Mobile’s attackers apparently claim they ransacked company databases as reprisal for U.S. espionage activity,” he said. “They do not seem to be demanding ransom. If true, it further blurs the lines in cyberwar between government and private assets. Every business has to consider what kind of prize it, too, might represent to threat actors out to score political points.”Hitesh Sheth is president and CEO of Vectra, an artificial intelligence (AI) cybersecurity provider.
If privately-owned infrastructure is going to suffer retaliation for things government does, businesses must shore up their cyber defenses.
“It’s vital that deeper, smarter public-private partnerships define cybersecurity norms, roles and responsibilities,” Sheth said. “Like it or not, when a critical enterprise is a cyber target, it’s playing a role in national defense.”
More Attacks Expected Thanks to Reused Passwords
“If this T-Mobile data breach turns out to be genuine, and the initial signs are that it is, it is an alarm call to all enterprises who may share customers with T-Mobile,” he said. “With 100 million users’ data for sale on the dark web, including usernames, passwords and other personal data, all such enterprises should expect script-driven credential-stuffing attacks imminently against their APIs.”David Stewart is CEO of Approov, an API security provider.
The probability that passwords have been reused across platforms is extremely high, Stewart said. Therefore, some of the T-Mobile credentials will also be valid for other platforms.
All enterprises need to ensure that API calls are authorized by at least one independent authentication factor over and above their standard user authentication method, he said.
Backdoor Access Gained
Hank Schless is senior manager of security solutions at Lookout, an endpoint-to-cloud security company.
“Reports on this data breach indicate that the attacker was able to gain backdoor access to T-Mobile’s infrastructure in order to access and exfiltrate such a large amount of data,” he said. “An attacker usually creates a backdoor by either exploiting a vulnerability or using social engineering to convince an employee to install an infected file that opens up access. Once the attacker has that backdoor access, they can move laterally around the infrastructure to locate highly valuable data. From there, they can either exfiltrate it or encrypt it to kick off a ransomware attack. If the attacker is able to swipe employee credentials as part of their initial attack, then their chances of success are that much higher because they’re masked as a legitimate user.”
This incident highlights the importance of visibility and anomalous behavior detection, Schless said.
“As organizations expand their cloud footprint, enable remote access to on-premises infrastructure, and allow their employees to use personal mobile devices to access company data, they need to implement security and access policies across all of those resources,” he said. “Understanding exactly how your users, devices, files and services interact with each other is the best way to prevent incidents like this. A cloud security platform that can provide this level of visibility is key to any enterprise security strategy.”
External Link: T-Mobile Investigating Reported Data Breach Involving 100 Million Customers