The latest roundtable discussion from Security on Screen analyses the recent data breach of US mobile network operator company, T-Mobile – being the third-largest US wireless carrier, how will they take the correct steps to both secure its systems and contain the fallout?

Over 40 million T-Mobile customers have been hit by a “highly sophisticated cyberattack” causing a data breach that has stolen individual’s personal information. The breach follows online reports from last weekend stating that criminals were attempting to sell a large database containing T-mobile customer data online.

Confirming the incident, T-Mobile said in a statement: “Late last week we were informed of claims made in an online forum that a bad actor had compromised T-Mobile systems. We immediately began an exhaustive investigation into these claims and brought in world-leading cybersecurity experts to help with our assessment. We then located and immediately closed the access point that we believe was used to illegally gain entry to our servers.”

After further investigation, 7.8 million current T-Mobile postpaid customer accounts information was identified in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. In addition approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed according to the firm, it had reset all of the PINs on the accounts to protect customers.

It added that no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of the files of customers or prospective customers. “We take our customers’ protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack,” the company said.

“While our investigation is ongoing, we wanted to share these initial findings even as we may learn additional facts through our investigation that cause the details above to change or evolve.”

This isn’t the first time T-Mobile has suffered a data breach after hackers previously stole the personal information of 15 million customers and potential customers in the US in 2015. The company’s UK operation T-Mobile UK was rebranded as EE in 2012 and sold to BT in 2016 for more than £12 billion. As of yet, there is no indication yet that former UK customers of T-Mobile have been hit by the data breach.

The wireless carrier is the latest victim of a series of cyberattacks on large corporations in the United States as hackers exploit weakened user system privacy and security due to work-from-home policies instituted since the onset of the coronavirus pandemic. A company of this size suffering a breach at this scale is always a cause for concern. “While we hear about breaches often enough, ones of this magnitude and potential impact are far less common,” says Erich Kron, Security Awareness Advocate at KnowBe4. “In this case, if it proves to be true, not only is the sheer number of records lost a concern, but the information contained in these records is a treasure trove of data for cyber criminals.

“Not only is there enough information to start stealing identities, the loss of IMEI numbers can make it easier for criminals to clone phones, a great way to intercept security codes sent by banks or other services, and the information leaked can be used by social engineers to build convincing stories to run their scams.

“When organisations of this size collect so much personal information about their customers, they have a responsibility to protect it as well. The data lost is not like a compromised password which you can just change. The IMEI number is tied to the hardware of a phone, so to change that requires purchasing a new device, and Social Security Numbers are not easy to change when stolen. This becomes a significant burden on the customer through no fault of their own, and cannot be resolved by something like free credit monitoring.  The loss of this much data by such a large entity will certainly cause problems for years down the road.”

Trevor Morgan, Product Manager at comforte AG, also believes the reported breach could have significant repercussions across the board. “For T-Mobile, the situation brings up privacy concerns and questions about the level of due diligence they’ve enacted to prevent hacks and data breaches—the outcome, depending on the facts, could include fines, legal action, and of course reputational damage,” he continues.

“The average enterprise, though, has an opportunity to learn from this. T-Mobile is an international company with ample resources at their disposal to prevent situations such as this, but the truth of the matter is that hacks and breaches are inevitable even for the most well-protected enterprise. Defensive methods such as protecting perimeters around data are not fool-proof, and a determined threat actor can always find ways to circumvent this type of data security.

“Better to investigate data-centric security that protects the data itself instead of the borders around it. Methods such as tokenisation replace sensitive data elements with representational tokens, rendering any stolen data useless. Learning from the T-Mobile incident and determining how data-centric security could augment your security posture would definitely be a good call.”

Sam Curry, Chief Security Officer, Cybereason agrees: “This breach is a reminder that as consumers our personal information has been stolen many times over and sold on the DarkWeb. It appears that social security numbers, government ID numbers, drivers’ license information and other personal information is being made available for sale. However, what is most concerning is the availability of mobile phone identity numbers tied to each specific customer’s phone. With a blend of consumer data, criminals can more easily dupe consumers into opening phishing emails and phishing texts.”

“A breach of this size puts millions of people at risk of impersonation fraud and highly targeted phishing emails,” adds Jamie Akhtar, CEO and Co-Founder of CyberSmart. “The information that is potentially exposed is concerning, not least because many of the data points are not easily changed such as social security numbers and driver’s license numbers. As always, individuals will need to be vigilant of any incoming communications whether by phone or via email, verifying who is in touch with them prior to dishing out more information. Where possible, those affected should also change their security PINs.”

Martin Jartelius, CSO at Outpost24 argues: “The data that is indicated by preliminary sources point to the kind of information useful in frauds where the identities of others is used. It is very hard for affected individuals to take action at this moment as the actual illegal use of the data wont target those individuals directly but rather be used in attempted frauds against third parties.

“Without going into details, it is quite unsettling that such large amounts of sensitive information has been both stored in such a manner it could get extracted without detection, as well as the fact those sets of data don’t seem to have been stored encrypted. However it is still too soon to make any certain statements, we can just hope T-Mobile are successful in their investigation and help concerned customers.”

Curry concludes: “Data breaches, ransomware attacks and other malicious threats are not receding, only increasing in frequency and severity. We should all be on the lookout for the back-to-school scams and typical post summer resurgence of business that will only likely herald an uptick in attacks while whetting the appetites of cyber criminals to carry out more brazen attacks.”