Mobile carrier T-Mobile, the second largest in the US as of Q2 2021, appears to have suffered a devastating data breach as a reported 100 million records have appeared for sale on a dark web forum. The customer data is about as sensitive as possible, with Vice’s Motherboard magazine verifying that a sampling of it contained accurate Social Security numbers and driver’s license numbers among other pieces of personal information.
T-Mobile data breach still being investigated, company has yet to confirm full scope
At this time T-Mobile is still investigating the data breach and has yet to confirm the full extent of the exposed personal information, but independent reporting indicates that customers should assume the worst at this point and take steps to protect themselves. As of Q2 2021 the company was estimated to have about 104 million customers, so it appears that this data breach affects nearly everyone that subscribes to its service.
T-Mobile issued an update on the morning of August 18 confirming that at least 47 million of its customers were impacted, including former subscribers. The company at this point has only issued a “preliminary analysis” but has confirmed at this time that at least 7.8 million current postpaid T-Mobile customers may have had detailed personal information, such as Social Security and driver’s license numbers, exposed in the data breach. It says that 40 million additional customers had records exposed but that the customer data did not include much in the way of personal information. It also confirmed that at least 850,000 active T-Mobile customers had their account PINs exposed in addition to their names and phone numbers.
The company said that it was processing “additional information” and that there could be “more fallout to come.” Jack Chapman, VP of Threat Intelligence at Egress, highlighted some of the threats that T-Mobile customers can realistically expect: “The data leaked in this breach is reported as being already accessible to cybercriminals, who could now weaponize it to formulate sophisticated phishing attacks targeting the victims. In light of this, I would urge any customers who have been affected by this breach to be wary of any unexpected communications they might now receive, whether that’s over email, text messages or phone calls. Follow-up attacks may utilize the information accessed through this data breach to trick people into sharing more personal data that can be used for identity and financial fraud.”
And Trevor Morgan, product manager with comforte AG, suggested actions that T-Mobile may (or at least should) take: “For T-Mobile, the situation brings up privacy concerns and questions about the level of due diligence they’ve enacted to prevent hacks and data breaches—the outcome, depending on the facts, could include fines, legal action, and of course reputational damage … The average enterprise, though, has an opportunity to learn from this. T-Mobile is an international company with ample resources at their disposal to prevent situations such as this, but the truth of the matter is that hacks and breaches are inevitable even for the most well-protected enterprise. Defensive methods such as protecting perimeters around data are not fool-proof, and a determined threat actor can always find ways to circumvent this type of data security. Better to investigate data-centric security that protects the data itself instead of the borders around it. Methods such as tokenization replace sensitive data elements with representational tokens, rendering any stolen data useless. Learning from the T-Mobile incident and determining how data-centric security could augment your security posture would definitely be a good call.”
A devastating loss of customer data
The data breach was first reported by Motherboard on Sunday, as a reporter came across a dark web forum post offering the massive trove of T-Mobile customer data for sale. The original post offered Social Security numbers, phone numbers, full names, physical addresses, unique device IMEI numbers, and driver license numbers, with Motherboard verifying that an available sample contained accurate information on known T-Mobile customers.
The seller was initially offering the accounts containing all of this information, presumably the 7.8 million minimum number verified by T-Mobile, for a price of 6 bitcoin (about $270,000). The seller indicated that they would make the remaining data available at a later time.
While the source of the hack is still not known, chats with the seller indicate there was some sort of backdoor into T-Mobile’s servers available to them. The seller said that the backdoor was closed after creating the listing, but that they had exfiltrated all of the data and made multiple backups of it. T-Mobile has only said that it is confident that the security hole used to access the data has been closed.
Either the hacker themselves or a representative took to Twitter to drum up buyers, also claiming that all of the customer data was found in plaintext on an “insecure” backup server that they claim was easy to breach. Information Security Media Group has been in contact with the hacker, who claims that the exploited vulnerability was a misconfigured Gateway GPRS Support Node used to connect mobile devices to the internet. The hacker claims to have had access for two or three weeks, raiding 100 databases used to store customer information from two different T-Mobile data centers.
A follow-up investigation by KrebsOnSecurity found that the hackers had obtained legitimate IMSI and IMEI data for 36 million customers, information invaluable in executing SIM swap attacks that allow for taking over a phone number without having physical access to it. The hacker also claimed that they were able to see credit card numbers in the customer data, but that six digits of each were obfuscated. Further research by Krebs into the perpetrators indicate that they may be affiliated with the Satori botnet, a spinoff of the infamous Mirai botnet that was available to cyber criminals on a for-hire basis.
T-Mobile’s track record for security has been worrying in recent years; this is the fifth time the carrier has experienced a data breach and/or a loss of customer data since 2018. There were two attacks in 2020, both relatively small compared to this current incident. In March an email vendor was compromised revealing basic account and contact information for a number of employees and customers, though there were some Social Security and payment information numbers included in the data breach. In December there was another breach of the account information of about 200,000 customers, but this one without any financial or sensitive personal data. The breach in 2019 was limited to similar basic account information, but involved over a million of its prepaid customers. And a 2018 data breach leaked similar basic customer data, but this time for about two million of the company’s subscribers.