T-Mobile store exterior and sign showing second data breach

Second Data Breach in 2020 for T-Mobile Exposed Customer and Call-Related Information of 200,000 Subscribers

T-Mobile suffered a data breach in which hackers accessed customer proprietary network information (CNPI) and undisclosed call-related information, according to a statement posted on its website.

The breach was the second in 2020 and the fourth to hit the company since 2018.  Similarly, its partner company Sprint suffered two breaches in 2019 and two others in May and July 2020.

However, the third largest mobile service provider maintained that the hackers did not access sensitive customers’ data, unlike the March 2020 incident that compromised customers’ personal and financial information.

T-Mobile warns subscribers of unauthorized access to customer account information

The telco notified its customers that it had “shut down malicious, unauthorized access” to their T-Mobile account information. The wireless service provider added that it contacted leading cybersecurity forensic experts to analyze the data breach for additional compromise indicators.

Further, the network operator said it reported the security incident to federal law enforcement agencies and commenced an investigation to determine the potential culprits responsible for the incident.

Unlike previous data breaches, the recent intrusion affected just 0.2% or about 200,000 of T-Mobile’s close to 100 million customer base. The company reportedly discovered the data breach in early Dec 2020, according to the company’s spokesman.

Customer proprietary network information exposed in T-Mobile data breach

The telecom giant said that the hackers accessed “customer proprietary network information (CPNI) as defined by the Federal Communications Commission (FCC).”

The mobile giant added that the CPNI information possibly “included phone numbers, number of lines subscribed to on your account and, in some cases, call-related information collected as part of the normal operation of your wireless service.”

However, the Bellevue, Washington-based mobile operator clarified that the data breach did not expose customer names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax ID, passwords, or PINs.

The data breach was limited in scope compared to the March 2020 breach exposing employee and customer personal information, including social security numbers and financial information, including government identification numbers for some victims. The hack originated from a breached third-party email vendor, granting attackers access to employees’ emails.

Past data breaches

Hackers had accessed personally identifiable information (PII) for 1 million prepaid customers in November 2019 while the August 2018 data breach exposed sensitive information for 2 million customers.

T-Mobile’s partner company Sprint also disclosed several breaches in 2019. Hackers compromised Sprint’s customers’ Boost.com accounts using the victims’ mobile numbers and PIN in May 2020. In July 2020, the company was reportedly hacked through Samsung’s website.

Breached customers are at risk of phishing through text messages (smishing) containing links to malicious sites. Given that the hackers accessed subscribers’ call information, they are likely to craft compelling phishing messages requesting sensitive information claiming to originate from the telecom giant.

Although totally preventing a data breach is impossible, the two telecom giants should dedicate more resources into protecting customers’ personal information from determined hackers.

Commenting on T-Mobile’s data breach, Hank Schless, Senior Manager, Security Solutions at Lookout, says that although the breach did not expose highly sensitive personal information, subscribers whose phone numbers were stolen were still at risk.

“An area code is all an attacker needs to carry out a socially engineered mobile phishing attack,” Schless said. “Lookout discovered a mobile phishing campaign in February 2020 that associated area codes with popular banks in the area to try to phish mobile banking login credentials.”

He explained that hackers could impersonate T-Mobile support over voice or text to solicit sensitive personal information from subscribers.

“Since customers know there was a recent security incident, they may not think twice before engaging with an individual who claims they can help. If this were successful and the attacker made their way into the customer’s account, they could have access to sensitive information associated with the account,” he adds.

Schless says that “mobile phishing represents one of the biggest security blind spots for individuals and enterprise security teams alike. Since it can be incredibly difficult to identify phishing attempts on smartphones and tablets, it’s more important than ever to have mobile phishing protection on all of your mobile devices.”

Brandon Hoffman, Chief Information Security Officer at Netenrich, was concerned about the number of successful data breaches on major wireless carriers. He wonders whether the merger between Sprint and T-Mobile was a contributing factor.

“In our industry, when issues continue regardless of impact, we usually go back to the drawing board. It feels like there is an opportunity here to review the foundations of cyber relative to the merged entity and find out where quick wins can be had to shore up defenses.”

Hoffman suggested that the telecom giants were possibly suffering from “consistent advanced persistent threats or there is something easily exploited that is being overlooked.”