Nearly 48 million current, former, and prospective T-Mobile customers were compromised in a data breach that is still under investigation, the company confirmed late yesterday.
The investigation began last week, when T-Mobile learned of claims made in an online forum stating an attacker had compromised its systems. While the forum posts did not specifically call out T-Mobile, the seller reportedly told Motherboard they had accessed data related to more than 100 million people from the company's servers.
T-Mobile confirmed unauthorized access to its data on Aug. 16; one day later, it shared the results of its preliminary analysis: Approximately 7.8 million current T-Mobile postpaid customer accounts' information appears to be in the stolen files, in addition to just over 40 million records of former or prospective customers who had applied for credit with T-Mobile.
The stolen data did include some personal information, the company says. Some of the data accessed included customers' first and last names, birthdate, Social Security number, and driver's license/ID information for a subset of current and former postpay customers as well as prospective T-Mobile customers.
So far, there is no indication that the data in stolen files included customers' financial data, credit or debit card information, or other payment data. T-Mobile reports no phone numbers, account numbers, PINs, or passwords were compromised in affected files related to current postpaid customers or former or prospective customers.
Company officials have confirmed approximately 850,000 active T-Mobile prepaid customers' names, phone numbers, and account PINs were exposed in the attack. It has reset all of the PINs on these accounts and will be notifying the people affected. Customers who use Metro by T-Mobile or Boost as well as former Sprint prepaid customers did not have names or PINs exposed.
T-Mobile says it has located and closed the access point it believes was used to gain access to its servers. The company is offering two years of free identity protection services via McAfee's ID Theft Protection Service and advising all T-Mobile postpaid customers to proactively change their PINs. It's also offering account takeover protection capabilities to all postpaid customers.
While helpful, these steps don't get to the core of the problems plaguing T-Mobile's security posture, notes Forrester analyst Allie Mellen.
"T-Mobile is offering two free years of identity protection for affected customers, but ultimately this is pushing the responsibility for the safety of the data onto the user," she explains. "Instead of addressing the security gaps that have plagued T-Mobile for years, they are offering their customers temporary identity protection when breaches happen, as if to say 'This is the best we can do.'"
How Did This Happen (Again)?
This marks T-Mobile's fifth reported data breach since 2018. While the company has not yet confirmed how the attack happened, the person who claims responsibility for the attack says T-Mobile misconfigured a gateway GPRS support node that seems to have been used for testing. The node was exposed to the Internet, which allows the attacker to pivot to the LAN.
"Eventually, the person says they were able to brute force/credential stuff SSH on more than 100+ servers, some Oracle," writes reporter Jeremy Kirk on Twitter, noting there was no rate limiting on the servers because they are internal.
There is a chance the attacker's claims could be false; however, if true, they would point to a relatively unsophisticated attack with a massive impact. "This was not a sophisticated attack; this was not a zero-day," Mellen says. "T-Mobile left a gate left wide open for attackers — and attackers just had to find the gate."
Given the company's recent history with data breaches, experts say T-Mobile should have been able to detect the rogue activity inside its network before learning about the attack from an online forum.
"T-Mobile not only failed to prevent the adversary from getting inside but also failed to detect the rogue activity within the organization and prevent an extremely large volume of data from being exfiltrated," says Eric Parizo, principal analyst at Omdia. "Success at any point in the timeline could have prevented the breach."
A Risk to Businesses and Customers
The resulting risk to customers and enterprises "is extremely high" given the extent of data exposed, says Parizo.
From an individual standpoint, the exposure of information such as name and birthdate puts people at higher risk for identity theft. While many businesses have reduced their dependence on Social Security numbers, they are still core to a person's digital identity. And the release of billing addresses, many of which may be home addresses not publicly listed, could be a danger to those who live there — especially high-profile people and others whose privacy may already be at risk, he adds.
The risk to businesses is also high as many attacks against organizations start with attacks against individuals, targeting one person as a means of accessing a corporate network.
"With so much rich information on so many individuals now available in the wild, it suddenly becomes much easier for knowledgeable adversaries to gather information on their desired targets," he says.
Unfortunately, it's common for businesses to be breached multiple times, Parizo says. The public often only hears about a security incident if there's a legal or compliance-related reporting requirement, so many don't make the news. For T-Mobile, the series of attacks will likely weaken customer trust — and the pressure is on for the company to improve its security.
"It's clear T-Mobile has a lot of work to do to not only address numerous gaps in its security program, but also to restore customer confidence," Parizo says. Considering the number of breaches it has disclosed in recent years, "security-conscious customers should strongly consider whether T-Mobile is worthy of their trust and their business."
Mellen advises organizations to establish policies for configuring internal-only asset points appropriately, and to make sure employees are both aware of this and understand it. It's also important, she adds, to have security monitoring in place so it's possible to detect these kinds of attacks in the future. And while asset management is challenging to accomplish, it can help when identifying potentially risky or misconfigured assets, she says.
"They need to bring transparency to the forefront when it comes to their security practices," she says of T-Mobile.