Mobile carrier T-Mobile suffered a massive data breach recently, the 5th such occurrence in the last four years.
Preliminary analysis revealed that the breach affected nearly eight million current postpaid customers and forty million former or prospective clients who had applied for credit with the company.
The compromised data is as sensitive as it could get. According to Vice’s Motherboard magazine, the information includes Social Security Numbers, account pins, driver’s license numbers, names, and phone numbers.
The records appeared for sale on a dark web forum, with the seller asking for 6 bitcoin (approximately $290,000 at the time of writing this).
The question is,
How did hackers penetrate T-Mobile?
Even though the hackers’ identity remains shrouded in mystery, chats with the seller point to a vector attack.
One of the supposed hackers by the pseudonym Anton Lyashevesky told Information Security Media Group that the hackers infiltrated T-Mobile after the company’s misconfigured Gateway GPRS Support Node (GGSN) was exposed on the internet.
According to Lyashevesky, the criminals pivoted to the company’s LAN before proceeding to over one hundred Oracle databases containing the user data.
Further, a tweet handle @undOxxed claims the information was extracted from multiple T-Mobile data centers named Titan and Polaris.
What is an attack vector? Common attack vectors
A vector attack is a path which cybercriminals use to access a computer or network server to execute a payload with the intention of a malicious outcome. The attack allows the actors to exploit the system vulnerabilities.
Attack vectors include e-mail attachments, pop-up windows, viruses, deception, chat rooms, and instant messages.
While there are several attack vectors, the T-Mobile breach could have been a case of a brute force authentication attack against internal systems.
A brute force attack involves cracking credentials to guess usernames and passwords to gain unauthorized access to a system via trial and error.
The attackers could have used several methods including password cracking software, password sniffers, and dictionary attack, to hack into T-Mobile’s GGSN router.
The attack could also have been instigated from inside the company. A malicious insider could have abused their privileges as an authorized user to carry out the attack against T-Mobile’s information systems.
And because the user is legitimate, it can be hard to detect these types of attacks. That’s especially true considering that T-Mobile wasn’t aware of the attack until the hackers posted it on the dark web.
Is T-Mobile to blame?
A data breach as massive as T-Mobile’s usually occurs because of a series of mistakes or an absence of security control. A complex organization is generally its own worst enemy with operational debt causing systematic accrual of risk.
T-Mobile could have avoided the attack if the company conducted a proper scoped penetration test and used internal network monitoring tools.
According to the hackers, this was a configuration problem on the access point the company uses for testing. The issue made the access point publicly available on the internet – all the actors had to do was find the gate.
While T-Mobile is giving the victims two years of free identity protection, the company should have done more to protect its customer’s data, considering this isn’t the first time the mobile carrier is being targeted.
A classic solution is data partitioning. The company should have separated highly sensitive information from identification data such as addresses, names, and phone numbers. Also, T-Mobile’s attack is a reminder that organizations should store highly sensitive data on a need-to-know basis to prevent potential internal threats.
What should the victims do in the meantime?
While T-Mobile says it is still conducting further investigations,” Jack Chapman, Egress Vice President of Threat Intelligence, notes, “The data leaked in this breach is reported as being already accessible to cybercriminals, who could now weaponize it to formulate sophisticated phishing attacks targeting the victims.”
Chapman also urges affected customers to be on the lookout for unusual communications, including random phone calls or messages and e-mails.
The hackers may try to use the information mined through this breath to lure victims into sharing personal data to be used in fraud and identity theft.
It is also important that the actors obtained legitimate IMEI and IMSI for millions of customers, valuable data for SIM swaps, which calls for the need to change your passwords immediately.