Telecoms Giant Sprint Suffers Data Breach via Samsung Website

It has been reported that American telecommunications provider Sprint has suffered a data breach, telling customers that hackers broke into their accounts through a Samsung website. The number of customer accounts breached isn’t yet known. The hack occurred June 22, Sprint told its customers in a letter, and included details like first and last name, billing address, phone number, subscriber ID, account number, device type, device ID, monthly charges, account creation date, upgrade eligibility and any add-on services. It occurred via the Samsung “add a line” website.  

  • The company said it re-secured all compromised accounts by resetting PIN codes, three days later, on June 25 
  • The Sprint account breach notification lacks a few important details, such as the number of breached accounts, the date when hackers first started accessing Sprint accounts via the Samsung.com website, and if hackers modified any customer account details 
  • This is the second account breach notification letter Sprint is sending this year. The company also suffered another breach via Boost Mobile, a virtual mobile network and Sprint subsidiary 

Experts Comments:  

Felix Rosbach, Product Manager at comforte AG 

“To stay on top of the game and to offer a best-in-class customer experience, some organizations allow third parties access to sensitive customer data. Missing control over the infrastructure of third parties combined with the lack of cybersecurity talent available on the market makes it near impossible to prevent attackers from getting access to such a complex network.

Protecting data is more important than just preventing breaches. The best thing organizations can do is to focus on a data-centric security strategy to make sure that data is protected and access to it is restricted all the time.”

Boris Cipot, Senior Security Engineer at Synopsys: 

“Every breach has to be taken seriously, and impacted users should be on the lookout for possible misuse of their data. The good thing here is that credit card information and social security numbers were not affected due to the encryption.

In addition to changing PIN numbers, as recommended by Sprint, I would also advise users to change their account credentials for the Sprint portal. As we know, many people use the same username and password for many different accounts, so it would be advisable to change those also. In any case, it would be advisable for everyone to change their password every now and then and not use the same credentials for different services.”

Saryu Nayyar, CEO at Gurucul:

“While details of this breach are scant, the reality is that a volume of accounts were compromised via a third party site. The spike in activity of “add a line” transactions or visits to the “add a line” website should have triggered alarm. That type of activity is both anomalous and risky. It should have set off alarms to be investigated by the Sprint security team. Once again, defending breaches after-the-fact is ineffective. 

When attackers manage to hijack legitimate access rights, they can remain undetected for extended periods of time. Many organisations don’t have the ability to identify subtle behavioral anomalies that are indicators of cyber threats. But with advanced machine learning algorithms it’s possible to spot behaviors that are outside the range of normal activities and intervene before the damage is done.” 

Javvad Malik, Security Awareness Advocate at KnowBe4: 

Javvad Malik

“The Sprint breach highlights, once again, the importance of third party assurance and how access given to third parties needs to be carefully considered, secured and monitored. When security is built in at an early stage, the architecture can be designed in a more secure manner so that external, or even internal departments which don’t need access to functions cannot make any unauthorised changes.

It’s unfortunate that Sprint didn’t provide more details around the number of accounts breached and whether attackers had modified any account details. It could be possible that Sprint is still collating the information, but transparency and clarity of impact is vitally important for companies in the aftermath of an incident. Delays to sharing information can undermine customer confidence.”  

Jonathan Bensen, CISO at Balbix: 

“Sprint’s breach could not come at a worse time for the company as it recently reached a $26.5 billion merger agreement with T-Mobile which would allow the United States’ third and fourth mobile carriers to prove more formidable opponents to Verizon and AT&T. If the two enterprises do merge, it is critical that the pair implement security solutions that scan and monitor all T-Mobile and Sprint-owned and managed assets as well as all third-party systems to detect vulnerabilities that could be exploited. Proactively identifying and addressing vulnerabilities that would put them at risk, such as the Samsung.com threat that lead to this breach, is the only way to stay ahead of future breaches and avoid litigation, fines under data privacy laws, retain brand image, increase the organizations’ market share and beyond.   

This breach adds to a growing list of recent, unfortunate events suffered by Sprint. The company announced that it lost 189,000 customers and admitted a loss of four cents per share in its fiscal fourth quarter. Sprint’s subsidiary, Boost Mobile, also suffered a breach in May after hackers obtained unauthorized access via a brute force credential stuffing attack.   

It would not be surprising if T-Mobile reconsiders its merger with Sprint after this latest breach. Companies must remain ever vigilant during merger and acquisition (M&A) activity to avoid suffering the same fate as Marriott that was fined $123 million last week under GDPR for its 2018 data breach.”   

Ben Goodman, CISSP and SVP at ForgeRock:

“Even though the exact amount of Sprint customers affected is unknown, the company claimed 54.5 million customers in Q1 2019. For security and privacy reasons, every user should assume that his or her information may have been compromised in this breach. The information exposed in this latest breach of Sprint’s customers can be combined with previously stolen data to create effective credential stuffing lists for brute force attacks on other accounts or even highly targeted phishing attacks. All of Sprint’s customers should take precautionary measures to protect other accounts by enabling multi-factor authentication (MFA) and changing login credentials.  

Even if Sprint’s website was secure, the intruders gained unauthorized access via Samsung.com. The attack landscape is constantly expanding and organizations must be prepared to secure customer data by implementing security strategies and tools that respect customer privacy and prescribe real-time, contextual and continuous security that detect unusual behavior and prompt further action, such as identity verification via MFA.  

Unfortunately, even adhering to best practices still does not guarantee an individual’s account’s safety. Organizations across all industries continue to use knowledge-based answers for account recovery purposes, and this method represent another highly susceptible attack vector for hackers to target to gain access to accounts. Questions such as “where did you go to high school/college” and “what city were you born in” are two commonly asked questions for password resets, and a threat actor can use previously pilfered personally identifiable information (PII) from other breaches to correctly answer them and obtain access. Companies must begin to stray away from this type of account recovery method in order to best secure their customers’ profiles.” 

Robert Prigge, President at Jumio: 

“This provides yet another wake-up call for any company that still protects their users’ online accounts with a simple username and password. We now live in zero-trust world thanks to the dark web and near daily data breaches. This means that any cybercriminal with limited skills can perpetrate account takeover fraud with ease. This is precisely why online accounts need to be protected with much stronger forms of biometric-based authentication. This is no longer a nice-to-have feature — it’s a must-have. The good news is that users are now ready for simple face-based biometrics (thanks to Apple’s Face ID) and it’s even easier, faster and way more secure than legacy methods of authentication.”