40M T-Mobile customers’ data leaked: expect social engineering and identity theft
T-Mobile suffered from a "highly sophisticated" attack, which compromised 7.8M current customers and over 40 million records of former or prospective customers. It's the 6th T-Mobile breach over the last four years. Should we get used to it?
The telecom operator T-Mobile US acknowledged that it suffered a data breach. "We have been urgently investigating the highly sophisticated cyberattack against T-Mobile systems," the company said in a statement.
Late last week, T-Mobile was tipped about claims in an online forum that a threat actor has compromised T-Mobile systems. The company announced it has located and immediately closed the access point that might have been used to gain entry to the organization's servers illegally.
T-Mobile began coordination with law enforcement and was able to confirm that stolen data included some personal information. However, there's no indication that customer financial, credit card, debit, or other payment information was stolen.
Some of the data accessed did include customers' first and last names, date of birth, SSN, and driver's license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.
"Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts' information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers," the press release reads.
CyberNews talked to cybersecurity experts about the breach, and they emphasized that this is not the first time that T-Mobile has suffered a cyberattack, and "this has become an all too common occurrence for companies worldwide."
This is not the first cyberattack against T-Mobile. However, experts believe it signals not that there is something amiss with the organization but rather a colossal problem of cybercrime on a global scale.
"This has become an all too common occurrence for companies worldwide. Companies need to take immediate action to prevent such breaches, but they can't do it alone. (...). Recent attacks only highlight that a collective effort is needed to combat the risk posed by cybercriminals," Ric Longenecker, CISO at Open Systems, told CyberNews.
The U.S. Federal Communications Commission (FCC) said on Wednesday it is investigating a T-Mobile US Inc data breach, Reuters reported.
"Telecommunications companies have a duty to protect their customers’ information. The FCC is aware of reports of a data breach affecting T-Mobile customers and we are investigating," an FCC spokeswoman said.
As first reported by Motherboard on Sunday, the malicious hacker was selling a portion of obtained data for 6 Bitcoin, and that the trove included not only names and phone numbers, but also more sensitive data such as social security numbers, driver's license information, and unique mobile device identifiers (IMEI numbers). At this moment, the official company's statements neither confirm nor deny IMEI numbers being leaked.
"The IMEI combined with SSN and other data is one of the best back doors a criminal can have. Not only do all too many systems use SMS as a second authentication factor, but they also use it heavily for password resets and cryptocurrency wallets. Just move fast if you get a notice of a password reset or new device. This is significant exposure," Stel Valavanis, CEO of Chicago-based onShore Security, told CyberNews.
He said that the recent breach doesn't look like a usual "spray and pray" attack. The phrase refers to setting up as many as possible traps for potential victims (such as phishing emails) with minimal effort and praying for the desired result.
"Just remember that dwell times average around 200 days. It takes time to roam around a database or any application front-ending it. Unless the criminals have significant insider help or deep knowledge of the particular systems, they need a good amount of time. And then have to move the data without being detected too quickly. That takes a plan," he said.
Valavanis highlighted that T-Mobile had been breached six times in four years, but that is not a sign of faulty actions by the organization. According to the experts, cybercrime now needs to be tacked at the policy level as it is way overdue.
"This is not even the clearest example of how sophisticated and resourceful the pirates are. They can do far worse, and they've been fattened by all the ransom we've all paid them. They've barely had to lift a finger to do that, and they are capable of much more with or without nation-state support. They don't need it anymore. They just need a safe harbor, which they have. It doesn't end here, and it doesn't end well. Cybercrime needs to be addressed at the policy level. It's way overdue." he said.
Expect social engineering and identity theft
Needless to say, if you are a T-Mobile customer, you should be on the lookout for scams - criminals might try to trick you via social engineering attacks and steal your identity.
“With names, SSN, addresses, IMEI, and knowing that these are T-Mobile customers, it is easier for scammers to craft phishing emails that will allow the scammers to get consumers to provide credit card information or otherwise for alleged payment of T-Mobile services. The scammers also may not just use email but text messages or phone calls.
The scammers may also include malicious links in emails or text messages to compromise devices of consumers,” Greg Kelley, EnCE, DFCP at Vestige Digital Investigations, told CyberNews.
The breach could also lead to identity theft and credit card fraud.
“The more information a scammer has, the easier it is to steal one’s identity. The scammer may be able to perpetrate a consumer in calling into T-Mobile. All of this can lead to SIM swapping (a SIM card controls what phone number a device has, and SIM swapping allows a scammer to have a device with your phone number), credit card fraud, opening up of new accounts, etc.,” he said.
According to CEO of OccamSec Mark Stamford, it might be tricky for criminals to do anything at scale with this data, but the damage inflicted on an individual might be colossal.
“You do have the potential to pretend to be another user’s phone which could be used in a variety of ways - commit a crime and use the IMEI to frame someone else for it (make it look like Bill committed the crime since his phone was there), criminal or terrorist groups could use rotating IMEIs to assist in avoiding monitoring (although you’d have to change SIM cards also), and anything else where having your phone appear to be someone else could be of use,” he said.
“We take our customers’ protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack,” T-Mobile said.
The company claims to be taking immediate steps to protect all customers who might be at risk from the current cyberattack:
- Immediately offering 2 years of free identity protection services with McAfee’s ID Theft Protection Service.
- Recommending all T-Mobile postpaid customers proactively change their PIN by going online into their T-Mobile account or calling our Customer Care team by dialing 611 on your phone. This precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised.
- Offering an extra step to protect your mobile account with our Account Takeover Protection capabilities for postpaid customers, which makes it harder for customer accounts to be fraudulently ported out and stolen.
- Publishing a unique web page later on Wednesday for one stop information and solutions to help customers take steps to further protect themselves.
“At this time, we have also been able to confirm approximately 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were also exposed. We have already proactively reset ALL of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away. No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed,” the company said.
It also confirmed that there was some additional information from inactive prepaid accounts accessed through prepaid billing files. No customer financial information, credit card information, debit, other payment information, or SSN was in this inactive file.
More from CyberNews:
Subscribe to our newsletter