New data breach impacts 37 million accounts
T-Mobile revealed on Thursday that the attacker started stealing data using the impacted API around November 25, 2022. The mobile carrier detected the malicious activity on January 5, 2023, and cut off the attacker's access to the API one day later.
T-Mobile hacked to steal data of 37 million accounts in API data breach
"T-Mobile disclosed a new data breach after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming Interfaces (APIs).
An API is a software interface or mechanism commonly used by applications or computers to communicate with each other.
Many online web services use APIs so that their online apps or external partners can retrieve internal data as long as they pass the right authentication tokens. . .
The company described the data stolen in this attack as "basic customer information" in a separate press release.
T-Mobile has reported the incident to U.S. federal agencies and is now working with law enforcement to investigate the breach.
The carrier is also now notifying customers who might have had their sensitive personal information stolen as a result of this breach.
"Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network," T-Mobile said.
Eighth T-Mobile data breach since 2018
While this is the first breach disclosed by T-Mobile since the start of the year, the mobile carrier has disclosed seven other data breaches since 2018, including one where attackers gained access to the data of roughly 3% of all T-Mobile customers.
In 2019, T-Mobile exposed prepaid customers' data. Unknown threat actors also accessed T-Mobile employees' email accounts in March 2020.
In December 2020, unknown threat actors also gained access to customer proprietary network information (phone numbers, call records), and in February 2021, attackers accessed an internal T-Mobile application without authorization.
Several months later, in August 2021, hackers brute-forced their way through T-Mobile's network after a breach of the carrier's testing environments.
After the August 2021 breach, the carrier failed to stop the stolen data from being leaked online even though it paid the attackers $270,000 through a third-party firm.
Last but not least, the company also confirmed in April 2022 that the Lapsus$ extortion gang had breached its network using stolen credentials."
READ MORE
T-Mobile Data Breach: Hackers Stole 37 Million Customers’ Info, Company Says
Topline
Around 37 million T-Mobile customers recently had their personal information compromised in the company’s second major hack in less than two years, the company said Thursday, adding hackers were able to access customers’ names, addresses and dates of birth but not highly sensitive financial information like Social Security and credit card numbers.
Key Facts
Hackers were additionally able to see customers’ emails, phone numbers and details about their plans, including account numbers, T-Mobile said in a regulatory filing.
The company said it became aware of the breach on January 5 but was able to stop the malicious activity within a day.
The data compromise likely started around November 25, according to T-Mobile, which says it is now “working with law enforcement” on the matter.
T-Mobile said it found “no evidence” the hacker “was able to breach or compromise our systems or our network.”
The company’s stock dropped nearly 1.5% in after-hours trading Thursday to $143.
Crucial Quote
“We may incur significant expenses in connection with this incident,” T-Mobile said in the filing.
Key Background
This is the second major hack involving T-Mobile in the past few years. In 2021, hackers were able to steal the personal information of more than 54 million customers in a ransomware attack, and later attempted to sell off the data. Unlike the recent attack, hackers in the 2021 incident managed to access Social Security numbers and information from driver’s licenses. T-Mobile said it committed to “a substantial multi-year investment” to boost its cybersecurity following the 2021 hack, claiming Thursday it has “made substantial progress to date.”
What To Watch For
T-Mobile said it does not expect the hack to impact company operations but acknowledged it is “unable to predict the full impact” of the hack at this time. .."
DATA BREACH CHART 2018
T-Mobile to pay $500m to settle class action data breach lawsuit
T-Mobile has agreed to pay $500 million to settle a class action lawsuit launched after a 2021 data breach.
It will pay $350 million to settle claims and plaintiffs’ legal fees. It has also committed to spending a further $150 million on “data security and related technology” in 2022 and 2023, it said in an SEC filing.
Settlement of the T-Mobile class action suit (T-Mobile Customer Data Security Breach Litigation, Case No. 21-md-3019-BCW, pending in the Western District of Missouri), is subject to court approval.
The case was launched after 21-year-old hacker John Brinns accessed the data of 54 million customers and partners, telling press T-Mobile’s security was “awful”. He accessed phone numbers, dates of birth, social security details, IMEI and IMSI information, the typical identifier numbers associated with a mobile phone and more.
Supplier hack had “scope to impact entire telco industry”: Vodafone
T-Mobile expects final court approval by December 2022: “[It] anticipates that, upon court approval, the settlement will provide a full release of all claims arising out of the cyberattack by class members, who do not opt out, against all defendants, including the Company, its subsidiaries and affiliates, and its directors and officers. The settlement contains no admission of liability, wrongdoing or responsibility by any of the defendants” it said.
T-Mobile reported $58.4 billion in full-year 2021 earnings. It expects cash capex of $13.5 billion in 2022.
It told investors in March 2022 that “we’re expanding the number of large multinational banks relying on T-Mobile for security, for compliance, for their hybrid workforce” — making the comments just five days after reports of another breach in which a group of teenage hackers hacked T-Mobile and downloaded over 30,000 source code repositories — also gaining access to Atlas, a T-Mobile tool for managing customer accounts
T-Mobile CEO Mike Sievert said in the wake of the 2021 T-Mobile breach (confirmed on August 17, 2021), that the telco had entered into long-term partnerships with Mandiant, and KPMG, saying “we know we need additional expertise to take our cybersecurity efforts to the next level—and we’ve brought in the help.”
Mandiant will “support us as we develop an immediate and longer-term strategic plan to mitigate and stabilize cybersecurity risks” he said, while KPMG will “perform a thorough review of all T-Mobile security policies and performance measurement… focus on controls to identify gaps and areas of improvement.”
FURTHER READING
T-Mobile’s Hack Of 50 Million Users Leaves Black Community At Risk (Forbes)
T-Mobile Data Breach Amplifies Larger Cybersecurity Challenge
Reports came out this week that T-Mobile had suffered a data breach. T-Mobile claims that the leak has been sealed. They deserve credit for responding quickly, but for some the damage may already be done. The data itself may not pose a direct risk to anyone, but the more information cybercriminals can obtain and correlate, the more effective future attacks will be.
T-Mobile Breach
According to reports, sensitive personally identifiable information (PII) of about 100 million T-Mobile customers—including names, addresses, Social Security numbers, driver’s license numbers, and even unique IMEI numbers that identify the individual’s specific mobile device—were offered for sale on a Dark Web forum.
T-Mobile issued a statement, “We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed.”
If the claim of 100 million compromised accounts is accurate, though, that would mean that a large percentage of current or past T-Mobile customers were already impacted before T-Mobile was able to take action to address the data breach.
T-Mobile confirmed that there was a data breach but has not yet verified what data was leaked or whether it contained the PII claimed by the attackers. The only people who know the true situation right now are inside T-Mobile. I am looking forward to their continued transparency in the days ahead as the investigation continues.
Fortunately, they haven’t played the victim card which is wise, and I am equally hopeful that the industry keeps its ire focused on the attackers and not T-Mobile - security is a process not a state of being, and nothing is accomplished by “bayoneting the wounded.”
Connecting the PII Dots
If PII was, in fact, exfiltrated from T-Mobile, is that cause for concern? It does appear that Social Security numbers, government ID numbers, driver’s license information and other personal information is being made available for sale. That is bad, but this breach is also a reminder that—as consumers—our personal information has been stolen many times over and sold on the Dark Web.
I get it. If your Social Security number is already compromised, it is easy to feel jaded about new breaches exposing it again. We can’t become complacent, though. It is important for organizations to do everything they can to protect sensitive data, and for consumers to do everything possible to safeguard PII. Each piece of PII may seem innocuous on its own, but it is all pieces of a puzzle.
What is particularly concerning with the T-Mobile breach is the availability of mobile phone IMEI identity numbers tied to each specific customer’s phone. The more information cybercriminals have about you, the more targeted and effective they can craft their attacks. With a blend of consumer data, criminals can more easily dupe consumers into opening phishing emails and phishing texts.
Constant Vigilance
Data breaches, ransomware attacks and other malicious threats are not receding. On the contrary, they are increasing in frequency and severity.
We should all be on the lookout for the back-to-school scams and typical post summer resurgence of business that will likely herald an uptick in attacks while whetting the appetites of cybercriminals to carry out more brazen attacks.
Organizations need to have cybersecurity that provides the visibility and context to identify and understand suspicious or malicious activity in their environments. It is more important than ever for organizations to remain vigilant—and to have tools in place to effectively detect and stop attacks before data is compromised.
No comments:
Post a Comment