T-Mobile Data Breach

T-Mobile has experienced another data breach, as reported by TechCrunch.  Hackers stole customer stole names, billing zip codes, phone numbers, email addresses, account numbers, and account type in what the company described as an “unauthorized capture of data.” IT security experts commented below.

Pravin Kothari, CEO at CipherCloud:

Pravin Kothari

Pravin Kothari

“The new T-mobile breach is deja vu all over again. In 2015, a massive amount of T-mobile customer data was breached. Reports at that time put the number at approximately 15 million customer accounts which included data as sensitive as social security numbers. In December of 2017, an exposed vulnerability was reported by a white hat security investigator that allowed hackers to hijack and take control of T-mobile customer accounts. It is unknown how many accounts were compromised due to this exploit.

Yesterday, lightning struck T-mobile yet again. T-mobile announced to customers that hackers were found to have breached critical systems and captured names, emails, accounts numbers and more. This breach may have impacted approximately some 2 million accounts.

The moral of the story? You cannot keep attackers out of your networks. Strong perimeters are good, but no longer good enough. Attackers will get in at some point. This will happen to relatively well-defended networks such as T-mobile’s.

The solution? New Zero Trust best practices would likely have prevented all of these breaches. The first step would be to require that *all* customer and T-mobile employee authentication should be done using 2-factor authentication. After all, this is a mobile phone company – what’s not to like? A 2nd factor SMS TXT to each mobile phone associated with the account would have been good enough to stop the breach. There are rare instances where 2-factor has been breached, but the use of 2-factor is much better than just a password.

Other obvious solutions include the end-to-end encryption of customer data. End-to-end encryption, or Zero Trust encryption, is the most robust approach to data protection available today. Zero Trust encryption protects data at-rest in the database, in use, and in transit through the networks, API’s, middleware and applications. It is inevitable that misconfigurations, both on-premise and in the cloud will happen, but end-to-end encryption protects the data throughout the complete lifecycle of the data.”

Amit Sethi, Principal Consultant at Synopsys:

“We don’t yet know exactly what happened and when. However, we do know what the potential impact of this type of breach can be. Hackers stole customer names, ZIP codes, phone numbers, e-mail addresses, account numbers and account types. This information can potentially be used in targeted attacks where attackers can impersonate customers to T-Mobile’s customer service representatives. Attackers may also be able to impersonate the customers to other wireless carriers and attempt to port the numbers in order to hijack the phone numbers. People who are impacted should ensure that they have set up a PIN with T-Mobile that they use to authenticate to customer service representatives, and that is required to port their phone numbers to another carrier.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik

Javvad Malik

“It is encouraging to see that T-Mobile was monitoring its network and systems that allowed it to detect the breach whilst in progress. Although many customer records were accessed, the breach could have been much worse had the right security controls not been in place that alerted T-mobile’s security team to the breach.

It isn’t always possible to prevent a breach, but by having good detection capabilities, companies can discover breaches and nefarious activities quickly and respond effectively.”

Andy Norton, Director of Threat Intelligence at Lastline:

“It looks like T-Mobile are following industry best practise of “abundance of caution” when handling personal information and possible breaches.  If only more organisations had a culture of being abundantly cautious with their cyber security implementations. Telco service credentials form the foundation of our digital identities. Keeping them secure is paramount to the integrity of many other online portals.”