The News: Details are starting to emerge about T-Mobile’s massive data breach, which impacts some 100 million+ T-Mobile USA customers. Read more at MarketWatch.
T‑Mobile’s Massive Data Breach Impacts 100 Million+ T-Mobile USA Customers
Analyst Take: T-Mobile’s massive data breach is the cybersecurity focus of the week. First reported by Vice’s Motherboard on Sunday, the dark web is reporting claims of data obtained from 100 million customers of T-Mobile USA’s services. Hackers are reported to be selling a subset of that data on the underground for around 6 Bitcoin, which is about $268,000 US.
According to an updated article by VICE’s Motherboard published on Monday, the seller has claimed the compromised data includes 100 million personal records, of which 36 million are unique, which contain social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver’s license information from T-Mobile USA customers. Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile USA customers. It is claimed that one of the databases contains personally identifiable information on T-Mobile customers in the U.S. going back to the mid-1990s. Yikes.
It has also been reported that some of the stolen data includes security PINS, which are the secret numbers that customers use to identify themselves when working with customer service reps. This could potentially lead to what is called SIM swapping or hijacking attacks perpetrated against customers.
The Details of the Hack, Exposed by Und0xxed on Twitter
It is reported that the intrusion was discovered when the account @und0xxed (also affiliated with the account @IntelSecrets) started sharing details on Twitter.
Und0xxed indicated he had no responsibility for the act of stealing the databases, but instead, was responsible for selling the stolen customer data. Und0xxed claims the hackers found an opening in T-Mobile’s wireless data network that allowed hackers access to two data centers. After that, the hackers were able to download what is reported to be more than 100 gigs of customer data. Und0xxed also claimed in a tweet shared Tuesday morning that T-Mobile’s data was sitting in plaintext on an insecure backup server and taking it was — not at all difficult.
One addition relevant point as it relates to those at risk in this T-Mobile breach, UnD0xxed confirmed that “All T-Mobile USA prepaid and postpaid customers are affected; Sprint and the other telecoms that T-Mobile owns are unaffected.”
One final point about Und0xxed that’s relevant, as you can see from the Twitter profile above, the name John Erin Binns is associated with the account and his description speaks of being in cahoots with @IntelSecrets, an elusive hacker. The Und0xxed profile claims a focus on exposing “feds & skids since 2019.” The Binns situation is a bit wacky. The short version of the story is that Binns claims to have fled the U.S. to escape prosecution in a breach referred to as Satori, and has reportedly filed a number of lawsuits against several federal agencies looking for restitution based on unsubstantiated claims of kidnapping at the hands of the Turkish.
All of this is relevant as Krebs on Security reports that the hackers responsible for the T-Mobile breach spoke with security researcher Alon Gal and said they did it to “retaliate against the US for the kidnapping and torture of John Erin Binns in Germany by the CIA and Turkish intelligence agents in 2019. We did it to harm US infrastructure.” One thing is for certain, they got the attention they were seeking.
The Implications for T-Mobile as a Result of this Data Breach
While it appears that T-Mobile has indeed shut down the entry point used by the hackers, it is reported that the data has not only already been fully downloaded locally, but that it’s also been securely backed up. In a statement posted Monday, T-Mobile, which has more than 100 million subscribers in the U.S. alone, acknowledged the breach and did not elaborate on whether personal information was involved, despite reports suggesting otherwise. In a statement posted on the company website, T-Mobile did state “We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed,” the company said. “This investigation will take some time, but we are working with the highest degree of urgency.” You can find the full announcement from T-Mobile here.
As is the case with many data breaches, the company is not yet telling its customers or the media the whole story. If this were the EU where T-Mobile is headquartered, then GDPR regulations would have mandated a more forthcoming statement from the company on what had been breached and what the company was planning to do to resolve the issue.
It’s safe to say that the last thing that T-Mobile wants to be talking about right now is a security breach of this nature, involving their customers’ most sensitive data. With the key fall period approaching, the Sprint network to integrate, new phones being launched by the likes of Samsung this very week and the battle for 5G supremacy heating up, the team at T-Mobile USA have enough to worry about without hackers entering the fray. The carrier must be grateful however, that while this appears to be a huge breach of very personal customer data, those very customers are becoming desensitized to breaches of their data as it is now almost a daily occurrence.
In the coming weeks and months, it will be interesting to see the potential impact on T-Mobile as it tries to gain market share in the crucial battle to secure 5G customers. We will also be watching closely when the company announces Q3 results whether this breach leads to impairment costs. According to the IBM annual data breach report the average breach, which this most certainly was not, costs U.S. companies $9.05 million so it will be fascinating to see what costs T-Mobile attributes to the breach in public financial statements.
The Role of Confidental Computing: How Organizations Can Protect PII Data
As mentioned above, while T-Mobile is mum on the details, the hacker universe is sharing fairly widely that this breach was perpetrated with ease, and that T-Mobile’s data was sitting in plaintext on an insecure backup server. Today (and every day) protecting customer data, and all data, is business mission critical – for telcos and every other organization.
Our team here at Futurum Research is seeing a trend emerge where the industry is starting to mobilize around a completely new paradigm in security protection called Confidential Computing. This new approach focuses on securing data in use, for example when a database is actually being updated or accessed by applications.
Previously, the industry’s major security focus has centered on encrypting data-in-transit and or at-rest. While it is still unclear whether this hack would have been prevented by securing the database while in use, it does appear that hackers gained access to a key PII database via a backdoor. We are seeing vendors such as IBM, with the company’s range of Hyper Protect Database-as-a-Service, and AWS with its Enterprise Nitro Enclaves offering for trusted execution environments pivot to protect sensitive data in a manner that affords protection without relying on people, procedures, and/or compliance. That’s a very short description of a complex topic. We recently published a report on this trend: The Rise of Confidential Computing — Trust: The New Battlefield in the Age of Digital Transformation, if you’d like a deeper dive on the topic.
In summary, it will be very interesting to watch the details of T-Mobile’s massive data breach play out in the weeks and months ahead. If you’re a CISO or a security professional, especially if charged with managing personally identifiable information, take this as a clarion call to thoroughly investigate and redouble your security efforts and perhaps begin exploring what a solution like Confidential Computing can do for you. It will also be interesting to see how lawmakers progress in their efforts to pass a disclosure bill for cybersecurity breaches, which won’t help protect from data breaches, but will perhaps speed up the notification processes and brands owning the reality of a breach and its impact.
Finally, if you’re a T-Mobile customer, here’s what you should do: immediately assume your personal data has been compromised. With T-Mobile’s massive breach, on the not too distant heels of the 2017 Equifax breach that exposed the data of 143 million Americans, combined with the Facebook data breach and the Marriott data breach, and the LinkedIn data breach, and the Yahoo data breach — well, you likely get our drift. Credit monitoring is essential today and freezing your credit online through one of the three main credit bureaus (Equifax, Experian, and TransUnion) is easy and smart. Especially since social security numbers, names, and addresses were all part of the data reportedly accessed in this T-Mobile breach.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.