T Mobile storefront showing second data breach

T-Mobile’s Second Data Breach of 2023 Impacts Fewer Customers, But Involves Much More Sensitive Information

T-Mobile is on its second data breach of the year already, and the news about it is mixed. On the positive side, it appears to impact fewer than 1,000 total customers, a far cry from the API attack that accessed the private information of some 37 million people in January. On the negative side, those that are impacted likely had their Social Security numbers, ID numbers, account pins and other sensitive data revealed.

String of T-Mobile data breaches continues

The most recent data breach took place from February to March of this year, during which time attackers are believed to have accessed the personal information of 836 customers. While that is relatively small for modern breaches, particularly of companies of the size of T-Mobile, the information that was swiped appears to come from the applications or contracts of postpaid subscription customers.

The information comes from a data breach notification letter sent to impacted T-Mobile customers in late April, which indicated that the exposed personal information for each customer “may have varied” but that financial information and call records were not included.

However, the information that was included is very conducive to fraud and account takeover attempts. In addition to the identification numbers used to open the account and PIN numbers, the stolen data included full names, billing addresses, phone numbers, number of lines, and internal codes that indicate what phone plan and features the customer is subscribed to.

In response to the data breach, T-Mobile has reset the PINs of impacted customers and is offering them two years of free credit monitoring and identity theft detection services from Transunion.

Is T-Mobile uniquely vulnerable among US carriers?

T-Mobile is now at eight data breaches since 2018, and five of those have taken place in roughly the last two years. The most recent was an API scraping incident that took place through late 2022 and was disclosed in January 2023, in which 37 million customers had private (but not as sensitive) contact information exposed.

Prior to that, T-Mobile was breached in March 2022 by the Lapsus$ criminal gang. The group made entry a number of times and stole source code, additionally attempting to breach some high-profile customer accounts. But the biggest incident of this string came in 2021, an incident in which T-Mobile was found negligent in allowing access to some of the private data of over 76 million customers, including account PIN numbers in some cases. T-Mobile recently settled a class action lawsuit related to that incident for $500 million in total, with $350 million going to victims.

The concern about T-Mobile’s data breaches is not just the frequency and scope (though that is enough of a concern by itself), but also that the incidents seem to happen in a variety of ways. Since 2019 the company has had cloud storage misconfigurations, API scraping, breaches of its internal applications and testing environments, and the Lapsus$ attack reportedly began with the purchase of employee credentials on the dark web.

$150 million of the 2021 case settlement was supposed to be earmarked for internal network defense improvements at the company. The continued incidents in 2023 raise natural questions about how that money is being used, and put more of the security onus on the customer. And even when they do everything right, such as adding a PIN to accounts to curtail SIM swap takeovers, the data breaches end up being so extensive that those efforts are undermined.

It is hard to pin down exactly why T-Mobile’s security performance is consistently so bad. Primary competitors Verizon and AT&T are also far from immune to security lapses, each having one that involved millions of records take place already this year, but they do not seem to suffer incidents as often or at the scale of T-Mobile’s largest data breaches. T-Mobile essentially made cellular phone service a three-horse race in the United States with its 2020 acquisition of Sprint, and recently forced two to three million new customers into the fold with its acquisition of popular virtual network operator Mint Mobile.

Some insight may be found in the words of one of the perpetrators of the August 2021 attack, John Binns of Turkey, who went on the record to claim credit and call the carrier’s internal security practices “awful.” Binns said that he was able to penetrate the company by simply using a publicly available scanning tool (most likely Shodan) to find an exposed unprotected router at one of the company’s Washington data centers. If the company has decided that occasional fines and settlements are preferable to the costs of keeping proper cybersecurity in place, these issues may continue until new regulation forces major changes.

Dror Liwer, co-founder of Coro, believes that automation must play a role in any substantial security improvements: “This incident highlights the need for smart automation when it comes to containment and remediation of data breaches.  T-Mobile put measures in place to alert them of unauthorized activity, but the attacker had access to the data for a month. Should automation been deployed, that timeframe would have been cut to a fraction.”

“One way to improve data security is by implementing comprehensive platforms that empower businesses to leverage structured and semi-structured data throughout their lifecycle safely. These platforms should offer automated data security and governance controls, continuous visibility, risk detection, and mitigation, all while aligning with business goals and ensuring seamless integration, unmatched security, and regulatory compliance. Businesses can adopt a secure, data-driven growth strategy that minimizes risk and maximizes value by deeply understanding the four data variables – data infrastructure, data attributes, data users, and data usage. In the case of T-Mobile, a data security platform that effectively manages structured data usage could have mitigated the recent breach’s impact,” added Ani Chaudhuri, CEO of Dasera.