Some Sprint customers received an unpleasant surprise in the mail last week as the company sent out notification of a data breach to an undisclosed amount of network users. Hackers gained access to customer’s online logins and had the ability to see all of the data visible in those accounts.
Sprint characterized the breach as not causing “a substantial risk of fraud or identity theft”, but that’s a questionable claim. It’s true that credit of information and social security numbers aren’t visible in these accounts, but plenty of things that an identity thief or phisher would be interested in were included. The attack compromised the first and last name, phone number, device type, home address, PIN, billing number, device ID and subscriber ID account number among other information.
This breach follows an attack on Sprint subsidiary Boost Mobile in March that exposed similar customer information.
The Sprint data breach
Sprint sent out notifications about the data breach in mid-July, but the attack happened in mid-June. There was a similar reporting delay with the Boost Mobile breach, which customers were not notified about until May.
Sprint didn’t reveal the nature of the attack, other than mentioning that the “add a line” portion of partner Samsung’s public-facing website was breached. It’s reasonable to infer that the breach victims were customers who made use of this feature during the attack window in June. It’s unknown when the attackers first began accessing Sprint accounts or for how long they had access; the only kernel of information is that Sprint claims to have secured all accounts by June 25. At minimum the breach window appears to have been June 22 to 25, but it could have begun earlier as the Sprint statement says only that notice of the breach was obtained from Samsung on the 22nd.
This was all quite similar to the response to the Boost Mobile data breach. In addition to a considerable reporting delay, the eventual company follow-up was scanty on specifics and involved customer PINs somehow being compromised through the Boost website.
It would have been possible to alter account settings in both the Boost and Samsung hacks, but none of the companies involved ever indicated whether or not that had happened.
Sprint’s handwaving of the risk seems to entirely disregard the possibility of SIM swap attacks, which center on the type of information in this data breach. A SIM swap is a form of social engineering in which the attacker convinces the carrier to switch the victim’s phone number to a SIM card that they own, which they then use to take over accounts tied to that number.
Sam Bakken, Senior Product Marketing Manager at OneSpan, expanded on the potential dangers of this data breach:
“Suggesting this breach does not put users at risk of fraud or identity theft strikes me as either ignorant or disingenuous. Our mobile devices are becoming a more and more significant aspect of our identity. Look at the damage SIM-swap attacks can do. Combining phone number, device type and device ID, an attacker has the building blocks for an account-takeover scheme. This looks to me like yet another example of consumers’ privacy and security being violated likely through no fault of their own, and businesses should see it as yet more evidence of the importance of multifactor authentication combined with risk analysis to prevent account takeover fraud.”
Craig Young, computer security researcher for Tripwire‘s vulnerability and exposure research team (VERT), noted that the attackers may even be able to skip the social engineering part of the attack depending on what data they were able to gain access to:
“The breach of a mobile phone operator can be particularly damaging depending on what data the attackers were able to access. In recent years, SIM-swapping and other attacks have been increasing in popularity toward the goal of bypassing SMS based 2-factor authentication. Although typically this kind of attack is carried out using social engineering or malware, an attacker with access to a victim’s Sprint account may have been able to directly transfer the phone number to another SIM so that they could receive the login code.”
Clouds over the T-Mobile merger?
These breaches threaten to throw yet another wrench into the gears of the proposed T-Mobile and Sprint merger, a process that has dragged on for half a decade and faced both strong political opposition and internal squabbles.
T-Mobile and Sprint are the third and fourth largest wireless service providers in the United States, respectively. The companies began discussing a merger in 2014, but the Obama administration was adamant about preventing major telecom mergers. When the new administration took over in 2017 and installed a new FCC chair, it appeared that a path to the merger was clear. But the deal was ruined by contentiousness between the two companies over who would hold the controlling share.
Another deal was drafted this year and is in place, at least on paper. The big sales pitch of the merger is that it will help America more quickly develop a 5G network, something seen as strategically vital in the country’s economic competition against China. The deal has the blessing of the FCC, but also needs Department of Justice (DOJ) approval to go forward. The DOJ maintains the Obama-era position that there should be at least four major carriers in the wireless market; this merger would reduce the number to three, as no other existing carrier is currently close in size.
The DOJ has proposed allowing satellite television carrier Dish Network to purchase some of Sprint and T-Mobile’s wireless spectrum so that they can build a large enough network to become the country’s fourth major wireless carrier. Charter Communications has been floated as a potential alternative if things don’t work out with Dish. Whatever the case, Boost Mobile must be sold to someone before the deal can proceed. The DOJ has demanded that a sale be arranged by the end of July, though it is possible to extend this deadline.
The key to all of this dealmaking is to demonstrate that the merger serves the interests of the public as much as it does the two businesses. That becomes a harder sale when a history of breaches begins to develop.
In addition to opposition from the DOJ, a number of state attorney generals have sued to stop the merger. California, New York and eight other states have banded together to oppose the deal in court in the belief that it does not represent the interests of their citizens and will lead to across-the-board price hikes. It may well be that they add data privacy and security to their argument in the wake of this latest breach.
It’s very difficult to say how much impact these breaches could have on the DOJ and state attorney generals given that we do not know how many customers were involved, or if any of the personal information in their accounts was altered.
The situation is eerily similar to one that happened in the summer of 2018, however. The two companies had just come up with a deal in principle when up to two million T-Mobile customers had their account information and encrypted passwords exposed in a data breach. Shortly after, a security researcher was able to gain unauthorized access to Sprint’s network simply by guessing some very poorly-secured user/password combination.
Both companies appear to be popular targets for hackers, and attackers are also having a disturbing amount of success in penetrating them. That fact alone should give regulators pause, but it remains to be seen if the data breach issue will end up being a deal breaker.