Breach Notification , Cybercrime , Endpoint Security
T-Mobile: Some Customers Affected by SIM Swap Data BreachIncident Follows a High-Profile Breach in August That Affected 50 Million Customers
Mobile carrier T-Mobile fell victim to another data breach, this time linked to a SIM swapping attack that it says affected "a very small number" of its 105 million customers. Details about the breach remain scarce, but T-Mobile says it has enacted proper incident response protocols to limit the number of people affected.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
In August, T-Mobile was the victim of a widely publicized data breach in which more than 50 million customers' data was stolen, and attackers attempted to extort $2 million from CEO Mike Sievert, according to The Wall Street Journal.
The Bellevue, Washington-based telecommunications giant first publicly acknowledged the latest breach in a report from Bleeping Computer.
In a statement provided to Information Security Media Group, a T-Mobile spokesperson confirmed the breach, but did not provide additional technical details or discuss best practices it has taken since the larger breach took place.
"Our people and processes worked as designed to protect our customers from this type of attempted fraud that unfortunately occurs all too frequently in our industry," the T-Mobile spokesperson said.
An anonymous spokesperson from the company said "a very small number of customers" may have been affected by the incident.
T-Mobile Help tweeted about the incident and confirmed that the company is "taking immediate steps to help protect all individuals who may be at risk from this cyberattack."
According to data published by Statista in August, T-Mobile serves more than 100,000 million customers worldwide.
Massive Data Breach
This is at least the fifth time T-Mobile has been a target of an attack in the past three years, according to reports by ISMG (see: T-Mobile Probes Attack, Confirms Systems Were Breached.
More than 100 million data records were found for sale online after the August breach - with sensitive records including Social Security numbers, driver's license numbers, names, addresses, birthdates, and security PINs.
The massive data breach allegedly was carried out by John Binns, a 21-year-old American who discovered an unsecure router belonging to T-Mobile. After detecting the router, Binns was able to find a point of entry into a Wisconsin data center, where he began exfiltrating data. Binns told The Wall Street Journal at the time that T-Mobile's security practices were "awful" and bragged about the attack, which he claimed he did more for recognition than monetary gain (see: T-Mobile CEO Apologizes for Mega-Breach, Offers Update).
T-Mobile Targeted, Data of Millions Leaked
SIM swapping fraud and other cybercrimes continue to be prevalent among major mobile carriers and telecom companies.
"For a network as massive as T-Mobile, it’s almost inevitable that fraud in this form will take place,"says Hank Schless, senior manager of security solutions for Lookout, an endpoint-to-cloud security firm.
T-Mobile has suffered from several public data breaches over the past several years, ranging from 200,000 customers affected to millions.
In December 2020, T-Mobile notified customers that its cybersecurity team had detected "malicious, unauthorized access" to around 200,000 customers' accounts (see: T-Mobile Alerts Customers to New Breach).
Data from more than 1 million customers was leaked after a malicious hacker gained unauthorized access to prepaid wireless accounts in November 2019. In this instance, T-Mobile advised customers to reset their PINs (see: T-Mobile Says Prepaid Accounts Breached).
The first in a series of breaches affecting T-Mobile customers took place in August 2018, when a threat actor stole customer names, ZIP codes and other information on prepaid and postpaid accounts. Some 2.3 million customers were victimized (see: T-Mobile Database Breach Exposes 2 Million Customers' Data).
SIM Swapping Threats
Hitesh Sheth, president and CEO of cybersecurity firm Vectra AI, says that the online ecosystem continues to evolve into a "data leverage culture." Just as preserving and unlocking the value of information is critical, organizations will need to place a priority on protecting data from breaches, he says.
"The richer the cache of data stored on an internet-accessible server, the more tempting a target it becomes," according to Sheth.
SIM swapping, as seen in the T-Mobile breach in August, has become an increasingly common scheme among fraudsters. Insiders are another potential problem.
For instance, on Dec. 9, Jonathan Katz, 40, of Marlton, New Jersey, who was the manager of a telecommunications store, was arrested and charged with using customer information by accessing a "protected computer." Katz used the swapping technique to pull details from customers' accounts - successfully bypassing two-factor authentication - and then laundered ill-gotten gains through a cryptocurrency wallet.
Katz stole a total of $5,000 from five different victims, according to reports by the Courier Post, a New Jersey digital publication.
In addition to insider threats such as Katz's case, Lookout's Schless believes two areas could also be problematic for organizational security: a BYOD model that allows employees to rely on personal devices in work environments and the threat of an attacker successfully finding an entry point by way of an employee's device.
Schless says that when attackers use a legitimate account as their entry point, they have a greater chance of silently moving laterally around the infrastructure and exfiltrating or encrypting valuable data without being detected. "The nature of this attack chain, which goes from the mobile endpoint all the way to cloud-based apps and data, demonstrates how important it is to leverage modern security platforms that grant your organization visibility into everything across mobile, cloud and on-premises assets," he says.
'Visibility and Controls in Place'
Schless says the difference between a major breaches and a minor one may depend on how quickly an organization such as T-Mobile can provide guidance to customers when an attacker has breached their devices. Having "visibility and controls in place," he says, will help lessen the chances of an event unfolding on a larger scale.
"While we don’t have every detail yet, it sounds like T-Mobile was able to inform the affected customers quickly. If those customers were able to follow T-Mobile’s guidance, then the risk of serious compromise may have been controlled," Schless says.
In 2020, Princeton University researchers released a study entitled "An Empirical Study of Wireless Carrier Authentication for SIM Swaps," which analyzed five major U.S. prepaid wireless carriers, including T-Mobile. Its findings revealed that the providers' customers were left vulnerable, in part, due to "poor account authentication procedures" - in some cases allowing attackers to bypass existing access controls (see: How Wireless Carriers Open the Door to SIM Swapping Attacks).
Attackers mainly rely on support center staff approving a mobile "swap" after a phone hijacker provides identifying information - often stolen credentials - specifically a smartphone's PIN number, which then can be ported over to the attacker's control.
The researchers recommended more robust training for support staff to recognize malicious activity such as cybercriminals attempting to impersonate customers.