The Sprint Breach, According to Authentication Experts

The Sprint Breach, According to Authentication Experts

Another day, another major data breach. Unfortunately, the ramifications of this breach could prove far-reaching. 

Telecommunications giant Sprint yesterday publicly disclosed they suffered a data breach through the Samsung website. According to a letter sent to customers, Sprint learned of the breach on June 22. Additionally, the breach involved “unauthorized access to your Sprint account using your account credentials via the Samsung.com ‘add a line’ website.”

The customer information potentially compromised includes phone numbers, device ID numbers, and account numbers. Also, the breached information includes billing addresses, first and last names, and monthly recurring charges, among other categories.

Sprint stressed the breach did not compromise credit card and Social Security Numbers; that information is encrypted. Moreover, no Samsung user information became compromised, despite the method of the attack. Although Sprint said hackers could not use this information to conduct identity theft, some identity experts disagree.     

Some factors in the Sprint breach remain unknown as of the time of this article. For example, the telecommunications giant did not comment on the exact number of accounts affected; given its size, it could easily number in the millions. Also, the company has not yet disclosed the nature of the digital vulnerability exploited or how long the breach dwelt on their network.   

What Solutions Review Learned from the Sprint Breach 

Granted, we have to engage in a little speculation, as the nature of the vulnerability remains a mystery at this time. However, given what the company disclosed already, we can offer some pointed words of advice. 

First, whenever any company discusses “unauthorized access,” enterprises should take it as a reminder: examine your authentication capabilities. Do you still use passwords and passwords alone to secure your data? If so, you definitely need to change that protocol immediately. Hackers can easily bypass or crack single-factor authentication. In fact, they can often just use passwords stolen from previous breaches and keep trying to log in until they succeed. 

Instead, your enterprise needs to embrace multifactor authentication (MFA). Often, these factors quietly use information surrounding the context of the login request, such as location and time. Thus, it rarely disrupts access requests and allows for smooth business processes. 

Of course, hackers can break through multifactor authentication systems, but that takes time and expertise. Instead, most hackers would much rather target low-hanging fruit. Thus MFA can deter as many hackers as it deflects. 

Second, the Sprint breach should remind enterprises to protect their privileged users. Hackers frequently target privileged access because of the incredible power they wield on the networks. Thus it shouldn’t surprise readers that, according to Centrify, 74% of enterprise breaches involved a privileged account. 

Thus you need to enact privileged access management on your IT infrastructure as soon as possible. The capabilities of a PAM solution can help prevent or mitigate the damage caused by stolen superuser credentials. These include: 

  • MFA
  • Password Vaulting
  • Onboarding and Offboarding Monitoring
  • Secure Containers
  • Privileged Session Management
  • Privileged User Analytics
  • Lifecycle Management
  • Account Discovery

What the Experts Say About the Sprint Breach

Of course, you should just take our word for it. You should hear our advice on privileged access management from the authentication experts themselves. We reached to a few of them. Here’s what they had to say:

Jonathan Bensen, CISO, Balbix

Sprint’s breach could not come at a worse time for the company as it recently reached a $26.5 billion merger agreement with T-Mobile which would allow the United States’ third and fourth mobile carriers to prove more formidable opponents to Verizon and AT&T. If the two enterprises do merge, it is critical that the pair implement security solutions that scan and monitor all T-Mobile and Sprint-owned and managed assets as well as all third-party systems to detect vulnerabilities that could be exploited.

Proactively identifying and addressing vulnerabilities that would put them at risk, such as the Samsung.com threat that lead to this breach, is the only way to stay ahead of future breaches and avoid litigation, fines under data privacy laws, retain brand image, increase the organizations’ market share and beyond.

Sprint’s subsidiary, Boost Mobile, also suffered a breach in May after hackers obtained unauthorized access via a brute force credential stuffing attack.

It would not be surprising if T-Mobile reconsiders its merger with Sprint after this latest breach. Companies must remain ever vigilant during merger and acquisition (M&A) activity to avoid suffering the same fate as Marriott that was fined $123 million last week under GDPR for its 2018 data breach.

Anurag Kahol, CTO, Bitglass

Regardless of the number of individuals affected, the type of information hackers had access to leaves Sprint customers vulnerable to identity theft and fraudulent activity. When armed with payment card information and personally identifiable information, malicious parties can engage in highly targeted phishing attacks, make fraudulent purchases, sell said data on the dark web for a quick profit, and much more. While Sprint has re-secured all compromised accounts by resetting PIN codes, it is still unknown when hackers first gained access to customer accounts, and what damage may already be done.

To prevent unauthorized access to consumer data, organizations must adopt robust proactive cybersecurity platforms that include identity and access management capabilities. This functionality allows organizations to verify users’ identities, detect potential intrusions, and enforce multi-factor authentication and more.

Ben Goodman, CISSP and SVP of Global Business and Corporate Development of ForgeRock

Even though the exact amount of Sprint customers affected is unknown, the company claimed 54.5 million customers in Q1 2019. For security and privacy reasons, every user should assume that his or her information may have been compromised in this breach. The information exposed in this latest breach of Sprint’s customers can be combined with previously stolen data to create effective credential stuffing lists for brute force attacks on other accounts or even highly targeted phishing attacks. All of Sprint’s customers should take precautionary measures to protect other accounts by enabling multi-factor authentication (MFA) and changing login credentials.

Even if Sprint’s website was secure, the intruders gained unauthorized access via Samsung.com. The attack landscape constantly expands and organizations must prepare to secure customer data by implementing security strategies and tools that respect customer privacy and prescribe real-time, contextual and continuous security that detect unusual behavior and prompt further action, such as identity verification via MFA.

Unfortunately, even adhering to best practices still does not guarantee an individual’s account’s safety. Organizations across all industries continue to use knowledge-based answers for account recovery purposes. This method represents another highly susceptible attack vector for hackers to target to gain access to accounts. 

Questions such as “where did you go to high school/college” and “what city were you born in” are two commonly asked questions for password resets, and a threat actor can use previously pilfered personally identifiable information (PII) from other breaches to correctly answer them and obtain access. Companies must begin to stray away from this type of account recovery method in order to best secure their customers’ profiles.

Robert Prigge, President, Jumio

[The Sprint breach] provides yet another wake-up call for any company that still protects their users’ online accounts with a simple username and password. We now live in zero-trust world thanks to the dark web and near-daily data breaches. Any cybercriminal with limited skills can perpetrate account takeover fraud with ease. Online accounts need to be protected with much stronger forms of biometric-based authentication. This is no longer a nice-to-have feature — it’s a must-have. The good news is that users are now ready for simple face-based biometrics (thanks to Apple’s Face ID). It’s even easier, faster and way more secure than legacy methods of authentication.

Thanks to the authentication experts for their time and expertise! If you would like to learn more about Privileged Access Management, make sure to check out our Buyer’s Guide! Also, check out our Identity Security resources for more on enterprise authentication and access.

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner