Continuing Expert Coverage of the T-Mobile Breach

Solutions Review continues our expert coverage of the T-Mobile breach as the full extent of the situation continues to unfold. 

Previously, we covered the T-Mobile breach, described in this article. Since publishing our first report, T-Mobile confirmed via press release 7.8 million current, former, or prospective customers had their data exposed in the cyber-attack. The majority of those affected applied for credit. First and last names, dates of birth, SSN, and driver’s license/ID information of a “subset of customers” might have been exposed. Approximately 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were also exposed.

Thankfully, “no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers.” 

As part of our continued coverage, we again turn to cybersecurity experts. 

Continuing Coverage of the T-Mobile Breach

Chris Clements

Chris Clements is VP of Solutions Architecture at Cerberus Sentinel.

“I always imagine that the cliche phrases amounting to ‘we take security very seriously’ doesn’t have an unspoken second half ‘just not seriously enough to pay for it.’ Getting IT security right is a very tough job and mistakes can and do happen, but by and large, it seems that many organizations are unwilling to invest the resources to do so. For T-Mobile, this is the sixth major breach since 2018. The attacker claims to have compromised an end of life GPRS system that was exposed to the internet and was able to pivot from it to the internal network where they were able to launch a brute force authentication attack against internal systems with no rate limiting and I’m guessing no alerting functions either. Assuming this is true, then as usual it isn’t just one mistake that leads to a massive compromise, but a string of failures or absence of security controls that occur.  

This is the type of incident that could have been identified as a risk by a properly scoped penetration test and detected with the use of internal network monitoring tools. Those things aside, this further reinforces that doing security correctly at any organization is a cultural characteristic. If it’s not something that’s part of an organization’s own identity eventually some things, and often many things, will get missed that expose sensitive data to risk. A true culture of security involves buy-in from the highest levels of executive leadership and builds-in appropriate levels of security checks and balances and redundancies to prevent or limit damage in the event of a single security misstep.”

Daniel Markuson

Daniel Markuson is a Digital Privacy Expert from NordVPN.

“Phishing scams are one of the biggest concerns from these types of breaches. Such scams are usually very effective as criminals use a piece of real information, for example, your name and taxpayer ID. Cyber-criminals could send fake emails pretending to be your pharmacy, bank, hotel, or even governmental institution. 

Organizations need to enforce reliable security measures and inform their customers about how their data is collected, processed, and stored. T-Mobile needs to assess its cybersecurity risks, make relevant company-wide changes, and improve the overall approach to security, and let its userbase know of this as soon as possible.

Every company should start by establishing its security policy and ensuring compliance with any applicable regulations. If a company also chooses the right security tools and educates its employees, it can prevent many potential breaches.

The worst thing is that personalized phishing emails are so convincing and look real. Be more vigilant than usual and contact the organization before clicking on any links, filling in forms, or transferring funds. Even if you are a customer of the service allegedly sending the email, don’t trust it.”

Brian Johnson

Brian Johnson is Chief Security Officer at Armorblox.

“With phone numbers, account PINs, and IMEI data exposed for many customers, this breach can be a potential starting point for vendor and supply chain phishing fraud. Since phones are a preferred second method of authentication, cyber-criminals can use this data to attempt MFA bypass and take over the target’s email accounts. Once the accounts are compromised, attackers can send follow-on phishing attacks to partners, customers, and other known contacts by impersonating the legitimate senders.

Change your account PIN if you haven’t already, and be wary of any sudden requests for money and data, even if they are from known contacts.”

Thanks to these cybersecurity experts for their time and expertise on the T-Mobile breach. For more, check out the Endpoint Security Buyer’s Guide or the EDR Guide.