SIM swapping attacks cause another data breach at T-Mobile
T-Mobile suffered from a data breach in a series of SIM swapping attacks, potentially leaving sensitive information of a small number of customers exposed. The incident comes just a few months after a massive breach affected 53 million customers back in August.
According to the T-MO report, unauthorized activity on some of the customers’ accounts may have either resulted in SIM swaps, personal plan information exposed, or both.
"We informed a very small number of customers that the SIM card assigned to a mobile number on their account may have been illegally reassigned or limited account information was viewed," a T-Mobile spokesperson commented to BleepingComputer.
A SIM swapping attack can have dire consequences for a customer. It allows an attacker to swap the SIM card associated with a number to bypass 2FA authentication on the victim’s personal accounts.
"Unauthorized SIM swaps are unfortunately a common industry-wide occurrence, however this issue was quickly corrected by our team, using our in-place safeguards, and we proactively took additional protective measures on their behalf," a T-Mobile spokesperson added.
A series of breaches since 2018
Over the past couple of years, T-Mobile has been falling victim to cyberattacks with worrying regularity. As such, in 2018, a security breach could have potentially impacted 3% of the company’s 77 million customers, with the overall six breaches suffered by T-Mobile since 2018, according to Reuters.
"It appears that their IT system is particularly vulnerable since they haven't been able to rectify their known security issues during this time period, which should be concerning to customers,” Doug Schmidt, a professor of computer science at Vanderbilt University, said.
Back in August, an attacker claimed to be Jonn Binns from the United States used an unprotected router to hack into Washington state data centers, eventually gaining access to over 100 T-Mobile’s servers via stolen credentials.
"Their security is awful," Binns said, according to The Wall Street Journal. "I was panicking because I had access to something big."
As a result, personal data of postpaid, prepaid, previous, and prospective customers was stolen, with no financial information affected. Currently, there are approximately 44 class actions filed against the carrier because of the incident.
More from CyberNews:
Subscribe to our newsletter