T-Mobile USA has reported a data breach – its fourth in three years.
The wireless carrier disclosed the breach last week via its website, saying that it detected and shut down “malicious, unauthorized access to some information” related to T-Mobile accounts. Specifically, that data consisted of customer proprietary network information (CPNI) – a data set that the FCC calls “some of the most sensitive personal information that carriers and providers have about their customers.”
CPNI includes records of which phone numbers users called; the frequency, duration, and timing of such calls; and any services purchased by the consumer, such as call waiting. T-Mobile said that the thieves in this case lifted phone numbers, number of lines subscribed to on accounts, “and, in some cases, call-related information.”
The good news is that the data accessed did not include names on the account, physical or email addresses, financial data, credit-card information, Social Security numbers, tax ID, passwords or PINs, the wireless company said in the notice.
T-Mobile said it is investigating the incident with help from law enforcement and a security firm, and it told outlets that 0.2 percent of customers (around 200,000 people) were affected.
While the attackers weren’t able to collect any highly sensitive personal data, there is still risk posed to those whose phone numbers were stolen in the breach, Hank Schless, senior manager for security solutions at Lookout, told Threatpost.
“An area code is all an attacker needs to carry out a socially engineered mobile phishing attack,” he said. “The attacker can pretend to be T-Mobile support over voice or text in order to get customers to share their login credentials. Since customers know there was a recent security incident, they may not think twice before engaging with an individual who claims they can help. If this were successful and the attacker made their way into the customer’s account, they could have access to sensitive information associated with the account.”
Lookout discovered a mobile phishing campaign in February that associated area codes with popular banks in the area to try to phish mobile banking login credentials.
“Mobile phishing represents one of the biggest security blind spots for individuals and enterprise security teams alike,” Schless said.
4th Incident in 3 Years
T-Mobile previously reported breaches in August 2018, November 2019 and most recently in March.
The 2018 incident impacted 2.3 million subscribers, exposing customers’ names, billing ZIP codes, phone numbers, email addresses, account numbers and account types (prepaid or postpaid).
In 2019, about 1.26 million of T-Mobile’s prepaid were affected by a breach that included names, billing addresses (if provided), phone numbers, account numbers and CPNI.
The 2020 breach meanwhile impacted both employees and customers (it’s unclear how many were affected). Cybercriminals accessed employee email accounts, some of which contained account information for T-Mobile customers, including names and addresses, phone numbers, account numbers and more.
In all three of those cases, as with the most recent incident, financial and Social Security data was not impacted.
Sprint meanwhile, which merged with T-Mobile in 2020, had two of its own in 2019.
“The volume of attacks and successful attacks against wireless carriers continues to rise,” Brandon Hoffman, CISO at Netenrich, told Threatpost. “In this particular case, one has to wonder if it is related to the merging of two titans. Sprint had a series of issues last year and this is a another in a list of success attacks on T-Mobile.”
He added, “in our industry, when issues continue regardless of impact, we usually go back to the drawing board. It feels like there is an opportunity here to review the foundations of cyber relative to the merged entity and find out where quick wins can be had to shore up defenses. With the volume of successful attacks that we are seeing, either they are suffering from consistent advanced persistent threats or there is something easily exploited that is being overlooked.”
It should be noted that T-Mobile and Sprint were also impacted by an incident in December 2019, where hundreds of thousands of mobile phone bills for AT&T, Verizon and T-Mobile subscribers were laid open to anyone with an internet connection, thanks to the oversight of a contractor working with Sprint.
According to a media investigation, the contractor misconfigured a cloud storage bucket on Amazon Web Services (AWS), in which more than 261,300 documents were stored – mainly cell phone bills from Sprint customers who switched from other carriers.
Cell phone bills are a treasure trove of data, and include names, addresses and phone numbers along with spending histories and in many cases, call and text message records. In this case, some of the bills dated back to 2015; it’s unclear how long the bucket was exposed.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!