ROUNDTABLE: Why T-Mobile’s latest huge data breach could fuel attacks directed at mobile devices

TMobile has now issued a formal apology and offered free identity theft recovery services to nearly 48 million customers for whom the telecom giant failed to protect their sensitive personal information.

At the start of this week, word got out that hackers claimed to have seized personal data for as many as 100 million T-Mobile  patrons.

Related: Kaseya hack worsens supply chain risk

This stolen booty reportedly included social security numbers, phone numbers, names, home addresses, unique IMEI numbers, and driver’s license information.

Once more, a heavily protected enterprise network has been pillaged by data thieves. Last Watchdog convened a roundtable of cybersecurity experts to discuss the ramifications, which seem all too familiar. Here’s what they had to say, edited for clarity and length:

Allie Mellen, analyst, Forrester

According to the attackers, this was a configuration issue on an access point T-Mobile used for testing. The configuration issue made this access point publicly available on the Internet. This was not a sophisticated attack. T-Mobile left a gate left wide open for attackers – and attackers just had to find the gate.”

T-Mobile is offering two free years of identity protection for affected customers, but ultimately this is pushing the responsibility for the safety of the data onto the user. Instead of addressing the security gaps that have plagued T-Mobile for years, they are offering their customers temporary identity protection when breaches happen, as if to say, ‘This is the best we can do.’

Chris Clements, VP of Solutions Architecture, Cerberus Sentinel

For T-Mobile, this is the sixth major breach since 2018. The attacker claims to have compromised an end-of-lifed GPRS system that was exposed to the internet and was able to pivot from it to the internal network, where they were able to launch a brute force authentication attack against internal systems.

This is the type of incident that could have been identified as a risk by a properly scoped penetration test and detected with the use of internal network monitoring tools. This further reinforces that doing security correctly at any organization is a cultural characteristic.

Josh Shaul, CEO, Allure Security

The data that was stolen included personal identifiers that can’t be changed, the stuff identity thieves use to obtain and spend credit under other people’s names . . .  it’s notable that T-Mobile only learned about the breach when the data went up for sale. And even then, it took them quite a few days to wrap their arms around the incident.

We all know security is hard. But if you’re acting as a bank with tens of millions of customers, you need to run cybersecurity like a bank with tens of millions of customers. Other mobile carriers that offer similar credit services would be wise to make sure their own security posture is appropriate.

Adam Darrah, director of threat intelligence, ZeroFox

This actor lowered the price from 6 BTC to  $200,000  and caused quite a stir for a few hours because they forgot to put the letter ‘K’ after the number 200, resulting in almost everyone who saw the posting trying to buy the data.

According to the samples ZeroFox has seen, this actor is selling names, DOBs, SSNs and state/zipcode; he claims to have IMEIs and addresses in his possession, but notably is not offering those fields for sale.

It appears that this obscure actor does have what he claims to have, which should be a warning to individuals and businesses alike that there is a target on your back, period. Nobody’s off limits. Individuals need to maintain ownership of their digital footprint.

Tom Hickman, chief product officer, ThreatX

The attempts to monetize this data set does seem brazen. That’s not new, but it’s still pretty shocking that stolen data can be so openly bartered. The dollar values, while not staggering, do put perspective on the fact that criminal data is big business. Even at a paltry value of under a penny record, $260,000 is a big payday . . .  so it is clearly worth someone’s time and effort.

Without more in-depth forensics, which may never be forthcoming, it’s tricky to draw conclusions about root cause. Could be weak application security practices. Could be weak vulnerability management and poor patching hygiene. Could be poor security configuration practices. Could be phished credentials. Could be a bad actor.

Saryu Nayyar, CEO, Gurucul

It’s too early to assess compliance to data loss regulations. There is a patchwork of state regulations, along with GDPR, that T-Mobile has to navigate. A good-faith effort on notification won’t undo the damage done, but it will help the company’s reputation in the long run, and perhaps help fend off regulatory fines.

Scenarios like this are becoming more and more common. Organizations have to do more to protect themselves, by monitoring network and server activity for suspicious patterns. Organizations are not catching these attacks before they do serious damage, and that has to change.

Richard Blech, CEO, XSOC CORP

T-Mobile is a repeat offender, having suffered previous breaches of customer data. It is shocking that a server with that amount on sensitive PII data was accessible and was stored in an unencrypted state. This is really inexcusable.

T-Mobile did the minimum required by law or regulation as far as compliance. However, as a repeat offender, I don’t see how they were compliant with the required standards of protecting that volume or sensitivity of data. Clearly, there was a failure somewhere, either human error or faulty technology or both.

Joshua Arsenio, Director, Security Compass Advisory

Often inadvertent data breaches stem from a well-meaning employee trying to meet the needs of clients but without the technical systems to facilitate. Anyone that works in IT of any kind can appreciate the ‘temporary fixes’ that often come back to haunt us.

I’m going to speculate that the sudden shift to work-from-home in 2020 has led to quick decisions to meet immediate needs. Organizations need to make sure that they are focused on how business is actually conducted now, look at systems that were either quickly implemented or modified, and ensure that they are applying rigour to protecting these systems.

Organizations need to make sure that they are focused on how business is actually conducted now, look at systems that were either quickly implemented or modified, and ensure that they are applying rigour to protecting these systems.

Doug Britton, CEO, Haystack Solutions:

This data could go into highly sophisticated targeting algorithms, spoofing attempts, man-in-the-middle attacks — the list goes on and the ramifications are nearly impossible to quantify.

Most immediately is the ubiquity of 2-factor authentication. The mobile phone is a significant part of what we all know as a secure passcode channel. Compromising that could make other unrelated accounts vulnerable.

T-Mobile needs to review corporate security methods and take steps to understand if this is a true breach and how it happened. Investing in the right type of cyber professionals is key. Building internal teams allows for more focus on forensics and responsive design and development necessary to fight these kinds of attacks.

Baber Amin, COO, Veridium:

The biggest concern is how this information will used downstream . . . Account takeovers can be used to steal money at its very root; and fraudsters can also use this to access loyalty accounts for airlines, hotels, etc., as well as insurance and merchant accounts, to commit insurance fraud and wire fraud.

A SIM SWAP attack can give the attackers access to any text messages or phone calls that are sent to the target’s mobile account, which could in turn be used to circumvent SMS based multi factor authentication and negate any phone-based account take over protection.

Jerome Becquart, COO, Axiad:

Our phone numbers are now frequently used as authenticators when websites requires us to verify our login with an SMS message. They’re also increasingly used as a platform for mobile authenticators such as Microsoft or Google authenticators – many enterprises are implementing these solutions for their employees.

Despite this, maintaining the security of the whole ecosystem is not considered critical by mobile operators. Their database of phone numbers, along with other key information about our phones’ usage and characteristic, makes them more valuable to hackers than your average data breach.

Trevor Morgan, product manager, comforte AG:

For T-Mobile, the situation brings up privacy concerns and questions about the level of due diligence they’ve enacted to prevent hacks and data breaches—the outcome, depending on the facts, could include fines, legal action, and of course reputational damage.

Hacks and breaches are inevitable even for the most well-protected enterprise. A determined threat actor can always find ways to circumvent security. Better to investigate data centric security that protects the data itself, instead of the borders around it. Methods such as tokenization replace sensitive data elements with representational tokens, rendering any stolen data useless.

Sascha Fahrbach, cybersecurity evangelist, Fudo Security:

Our personal data has immense value to cyber criminals; it is very likely that hackers will now weaponize this data to create advanced phishing attacks. which will target victims.

Many organizations are still not able to reduce their attack surface and limit lateral movement once trusted systems  have been breached . . . . holistic security needs an engaged workforce on all levels. It is  not be simply a matter of hiring a CISO,  but ensuring that proper procedures and tools are implemented across the organization, including its third-party suppliers and contractors. Zero Trust needs to lead the way here if consumer and investor confidence is ever to return.”

Garret Grajek, CEO, YouAttest: 

The key to stopping data exfiltration is to follow the Principle of Least Privilege (NIST PR.AC-6). Often, when the root causes of these attacks are revealed, we find a stolen credential associated with an account holding anf unnecessary level of privileges.

Privileges of all users must be reviewed on a regular basis (NIST PR.AC-4) and should be monitored and attested to in a real time basis. . . The forensics on the attack will be coming out slowly with time. It’s important NOT to pile-on T-Mobile but to understand how vulnerable all IT assets are to hacking – especially the assets around PII.

 

Ron Bradley, VP at Shared Assessments

As the frequency and scale of these attacks continue to increase, people tend to get jaded.

This breach ups the ante —  in the ability for attackers to perform account takeovers and disrupt multi-factor authentication mechanisms. Look for unusual activity on your phone and requests for password resets you’re not expecting.

It’s incumbent upon us as consumers of technologies services to adopt a defense-in-depth posture. By that I mean, freezing your credit, being vigilant about checking your credit card and bank statements, using password managers with pass phrases versus passwords, and being cautious about what you share on social media.

Otavio Freire, CTO, SafeGuard Cyber

An interesting challenge will develop for T-Mobile as it conducts business with affected customers going forward.  Since the stolen information is that which carriers typically use to authenticate and authorize customers to access information like call logs, or swap SIMs, the company faces a significant challenge to contain the damage.

Cybercriminals can benefit from fraudulently accessing consumer data. Such data combined with access to social media then allows cybercriminals to identify victims’ banks, homes, children and even file fake individual tax returns, which has been the most financially damaging from previous breaches. Cybercriminals capture authentication information, and they are often using social engineering tactics to target key employees and executives, putting human capital at major risk.

Jack Chapman, VP of Threat Intelligence, Egress.

The leaked data is reported as being accessible to cyber criminals, who could now weaponize it to formulate sophisticated phishing attacks targeting the victims. I would urge any customers who have been affected by this breach to be wary of any unexpected communications they might now receive, whether that’s over email, text messages or phone calls.

Follow-up attacks may utilize the information accessed through this data breach to trick people into sharing more personal data that can be used for identity and financial fraud.

This highlights the need for organizations to secure their sensitive data and defend their employees and their company from targeted attacks.

Eddy Bobritsky, CEO, Minerva Labs:

Most of the modern attacks use evasive malware that are built to work under the radar. This means that a threat actor can be inside the organization network for months, silently stealing valuable data, until being detected.

The only way to defend modern attacks is by using prevention tools that do not require detection or prediction. The approach of stopping the malware before the execution has proved itself as the only way to stop malware without any prior knowledge — without any damage to the organization.

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

 

 

 

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/roundtable-why-t-mobiles-latest-huge-data-breach-could-fuel-attacks-directed-at-mobile-devices/