T-Mobile reported a breach that compromised customer data – the company’s fourth in three years – raises questions about whether the mobile carrier’s massive merger with Sprint left the combined company more vulnerable.
Indeed, when companies merge, particularly sizable ones, the integration of technology systems and networks can often introduce new security considerations.
“The volume of attacks and successful attacks against wireless carriers continues to rise. In this particular case, one has to wonder if it is related to the merging of two titans,” said Brandon Hoffman, chief information technology officer at Netenrich, who noted the string of successful attacks against T-Mobile as well as Sprint’s own “series of issues” over the past year.
“In our industry, when issues continue regardless of impact, we usually go back to the drawing board,” said Hoffman. “It feels like there is an opportunity here to review the foundations of cyber relative to the merged entity and find out where quick wins can be had to shore up defenses.”
The high volume of successful attacks, he said, indicates either organizations “are suffering from consistent advanced persistent threats or there is something easily exploited that is being overlooked.”
T-Mobile discovered “malicious, unauthorized access” to some customer proprietary network information, including phone numbers, number of phone lines subscribed to as well as as call-related information that the company collects as part of the normal operation of wireless service.
What the hackers did not get their hands on are account names, physical or email addresses, credit card or financial data, social security numbers, tax IDs, passwords and PINs.
That said, hackers often play a long game. “While it appears that the attackers weren’t able to collect any highly sensitive personal data of T-Mobile customers, there is still risk posed to those whose phone numbers were stolen in the breach,” said Hank Schless, senior manager, security solutions at Lookout. “An area code is all an attacker needs to carry out a socially engineered mobile phishing attack.” A mobile phishing campaign Lookout discovered in February 2020 associated area codes with popular banks in the area to try to phish mobile banking login credentials.
An attacker successful in pretending to be T-Mobile support over voice or text and finessing customers to share their login credentials, he said, can make their way into the customer accounts to access associated sensitive information.
“When a major provider like T-Mobile, with a mature information security team, reports four breaches in three years, it indicates the level of tenacity and persistence attackers bring to bear against their targets,” said Gurucul CEO Saryu Nayyar. “While there may remain some gaps in their defenses, it’s certain that other organizations are facing the same level of consistent attack, have the same potential gaps, and may have experienced the same breaches – but may not yet be aware of them.”
The T-Mobile breach “is not different from the previous attacks on T-Mobile or other companies and security vendors like SolarWinds, FireEye, etc.,” said Eddy Bobritsky, CEO of Minerva Labs. In all of those attacks, “malicious code managed to gain significant foothold in the network to execute a successful attack. The initiate stage of the attack (the beachhead) and the process of the foothold must be undetected. To achieve such level of undetectability the malicious code must include multiple evasion techniques in order to bypass security controls to avoid detection (an attack failure).”
T-Mobile’s string of breaches underscore “that it’s not enough to ensure the security of your own applications, you also need to make sure your vendors are secure as well,” said Timothy Chiu, vice president of marketing at K2 Cyber Security. “Even NIST, the governmental body that sets the security and privacy framework for the federal government, has increased their guidance for application security, including both RASP (Runtime Application Self-Protection) and IAST (Interactive Application Security Testing), as requirements in the latest framework,” SP800-53 Revision 5.
But Tim Wade, technical director with the CTO team at Vectra, said that this fourth breach “appears to be significantly less impactful” than the ones before. That may indicate “that the investments that T-Mobile has made in cyber resilience are paying dividends even if there may still be opportunities for further progress ahead.”