T-Mobile Hacked Again: Is the Carrier Insecure?

T-Mobile has a cybersecurity problem, and after half a decade, it still hasn’t fixed it.

The nation’s second-largest wireless carrier disclosed in a regulatory filing Thursday that 37 million of its customers’ data was stolen in a breach. Security experts say that while the data may not be highly sensitive, their compromise could put those people at risk of being tricked or otherwise targeted by cybercriminals.

Sound familiar? That’s because T-Mobile was already dealing with the fallout from a data breach in 2021 that compromised the personal information of nearly 77 million people. T-Mobile agreed to pay $500 million in the case in July.

It’s the latest in a string of incidents stretching back into 2018, a major blot on the company that once championed the “Leave Carrier” movement for consumers hacked by the wireless company. The sheer number of incidents has experts questioning whether staying in a carrier puts you at risk.

“Five breaches in five years,” said Chester Wisniewski, area chief technology officer for applied research at security company Sophos. “People can decide for themselves if they want to stay with T-Mobile.”

While both Verizon and AT&T have dealt with data compromises in recent years, they are minimal compared to the problems T-Mobile has faced.

In T-Mobile’s latest breach, cybercriminals used the company’s API, or software programming interface, to access data associated with customer accounts. APIs are commonly used features that allow data to be passed back and forth between different software applications.

The information stolen included customer names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers and information about what plan features they had with the carrier and the number of lines on their accounts.

T-Mobile declined to make an executive available for an interview on Friday or to comment beyond the statements it has already made.

In a filing and press release with the Securities and Exchange Commission on Thursday, the company tried to play down the value of what was stolen, noting that customers’ financial information and their most sensitive information, such as their Social Security numbers, were not touched.

That’s misleading, said Justin Fier, senior vice president of red team operations at AI security company Darktrace.

“I would argue that we shouldn’t dumb it down,” Fier said, adding that such a vast trove of consumer profiles could be useful to anyone from nation-state hackers to crime syndicates.

“There are dozens of ways to weaponize stolen information.”

This includes SIM-switching attacks, where cybercriminals contact a wireless carrier and use stolen personal information to impersonate the account holder, who then requests that the phone number be ported to a new SIM card. This could give them access not only to the wireless number and account, but also to any two-factor authentication codes that might come to the phone via SMS.

That’s why Wisniewski said it’s important that consumers, especially those compromised in the T-Mobile breach, avoid using SMS as a two-factor authentication method for banking, retirement, cryptocurrency and other critical online accounts.

Additionally, all wireless customers should ensure that their accounts are protected with a PIN or password, which can help prevent SIM swapping.

Meanwhile, Fier, who spent more than a decade in counterterrorism before joining Darktrace, said nation-state hackers can also use data to connect the dots between people for intelligence purposes.

For more average people, they are more likely to be targeted by scammers impersonating T-Mobile via phone or email. Armed with basic information such as account numbers, these scammers will appear more credible, he said.

With all that in mind, Fier, a T-Mobile customer, said he won’t be losing too much sleep or switching carriers over the breach. He notes that there is not yet enough information about exactly how the breach occurred or whether T-Mobile is to blame.

The best thing all consumers can do is to strengthen their personal security by changing their passwords, enabling two-factor authentication when possible, and accepting companies’ free credit monitoring offers when breaches occur.

Wisniewski was less charitable, saying he never recommended T-Mobile based on its track record over the past few years, but noted that other wireless carriers aren’t perfect either.

“None of these companies are sacred,” he said.

Source link