T-Mobile said on Monday it was looking into claims that a hacker has stolen data related to more than 100 million T-Mobile customers in the United States and aims to sell access to part of the information for around $277,000.
According to Motherboard, the data includes Social Security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information. Motherboard claims to have seen samples of the data, and confirmed they contained accurate information on T-Mobile customers.
T-Mobile’s attackers apparently claim they ransacked company databases as reprisal for U.S. espionage activity, said Hitesh Sheth, president and CEO at Vectra. Sheth said they do not appear to have asked for a ransom. If true, he said it further blurs the lines in cyberwar between government and private assets.
“Every business has to consider what kind of prize it, too, might represent to threat actors out to score political points,” Sheth said. “If privately owned infrastructure is going to suffer retaliation for things government does, it’s not only imperative that businesses shore up their cyber defenses. It’s vital that deeper, smarter public-private partnerships define cybersecurity norms, roles, and responsibilities. Like it or not, when a critical enterprise is a cyber target, it’s playing a role in national defense.”
Hank Schless, senior manager, security solutions at Lookout, said reports on this data breach indicate that the attacker was able to gain backdoor access to T-Mobile’s infrastructure to access and exfiltrate a large amount of data.
An attacker usually creates a backdoor by either exploiting a vulnerability or using social engineering to convince an employee to install an infected file that opens up access. Once the attacker has that backdoor access, they can move laterally around the infrastructure to locate highly valuable data. From there, they can either exfiltrate it or encrypt it to kick off a ransomware attack. If the attacker is able to swipe employee credentials as part of their initial attack, then their chances of success are that much higher because they’re masked as a legitimate user.
“This incident highlights how important visibility and anomalous behavior detection are if an organization wants to implement a security strategy built for today’s threat landscape,” Schless said. “As organizations expand their cloud footprint, enable remote access to on-prem infrastructure, and allow their employees to use personal mobile devices to access company data, they need to implement security and access policies across all of those resources. Understanding exactly how your users, devices, files, and services interact with each other is the best way to prevent incidents like this. A cloud security platform that can provide this level of visibility is key to any enterprise security strategy.”