Sprint has been informing customers of a data breach discovered on June 22 that came by way of their account credentials via Samsung's "add a line" website. The number of customers impacted has not been disclosed.
Information exposed in the breach includes phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address, and add-on services, according to Sprint's notification. The notification also stresses information that might be used in financial fraud was not affected.
"Suggesting this breach does not put users at risk of fraud or identity theft strikes me as either ignorant or disingenuous," counters Sam Bakken, senior product marketing manager at OneSpan. "Combining phone number, device type, and device ID, an attacker has the building blocks for an account-takeover scheme."
And that could have significant financial ramifications, says Tim Mackey, principal security strategist at Synopsys CyRC. "If a malicious actor has access to the appropriate provider information, they can co-opt the user's account either through the porting process or by simply obtaining a replacement SIM. These attacks are respectively known as 'port-out scams' and SIM-jacking," he explains.
Once those steps are taken, he says, many two-factor authentication schemes become weapons rather than protections. "Once ported, the replacement device will receive all cellular messages, such as SMS," Mackey says. "This can facilitate attacks where SMS is used as part of a two-factor identification strategy."
The most important information about this breach, according to Bob Maley, chief security officer at NormShield, is it's not the first Sprint has seen this year. "Earlier this year one of their subsidiaries, Boost Mobile, had a problem with a contractor," Maley says. According to the notification Sprint sent customers for that breach, which occurred March 14, "Boost.com experienced unauthorized online account activity in which an unauthorized person accessed your account through your Boost phone number and Boost.com PIN code."
"It sounds like [Sprint's] process for risk assessment for third parties might be lacking," Maley says. "As a CISO I'd want to know very early on when we engage a third party the sort of risk that engagement would bring to us. Are we sharing data with them? Will they have access to our systems or network? Is the service the third party providing critical to our operation?"
Samsung would have said "yes" all three of those questions, Maley says, and so should fall under an enhanced schedule of monitoring and assessment for risk and security.
Many companies conduct risk assessment when a new third-party partner is onboarded but then fail to do regular reassessment of the risks, Maley says. "The 'trust but verify' model is good, but most people are just using the 'trust' part," he says.
This breach is a reminder that risks should be assessed and security practices audited on a regular basis, Maley adds. In a dynamic world, he points out, security is not a one-time affair.