By Michael Hill
UK Editor, CSO |
Telecommunications giant T-Mobile has warned that information including names, dates of birth, US Social Security numbers (SSNs), and driver’s license/ID of some 50 million individuals comprising current, former, or prospective customers has been exposed via a data breach. While many details of the incident (including its root cause) remain unclear as of August 19, immediate fallout suggests this incident might be one of the most significant of recent times, not least due to the number of records exposed and potential regulatory implications that may come into play.
With the dust still very much settling, here is a timeline of the data breach according to T-Mobile’s public disclosure and other sources. CSO will update this timeline as events unfold.
[ Related: How attackers could exploit breached T-Mobile user data | Get the latest from CSO by signing up for our newsletters. ]
News broke on Vice.com of hackers claiming to have accessed data relating to over 100 million people, which they were offering sale. While the underground forum post did not mention T-Mobile specifically, a message to Motherboard confirmed that the information came from T-Mobile servers and included SSNs, phone numbers, names, physical addresses, IMEI numbers, and driver’s license information. Motherboard confirmed this to be accurate.
The seller was asking for 6 bitcoin (around $270,000) for a subset of the data containing 30 million SSNs and driver’s licenses and said that they were looking to sell the remaining information privately. In a statement to Motherboard, T-Mobile said: “We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time.”
With news of the incident making headlines around the globe, T-Mobile issued a statement confirming that unauthorized access to some T-Mobile data had occurred, though investigations were yet to determine if any personal customer information was involved. “We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed. We take the protection of our customers very seriously and we are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement.”
The company said it was confident that the entry point used to gain access had been closed, and that it was continuing its deep technical review of the situation across systems to identify the nature of any data that was illegally accessed. “This investigation will take some time but we are working with the highest degree of urgency. Until we have completed this assessment, we cannot confirm the reported number of records affected or the validity of statements made by others,” the statement read.
T-Mobile issued an update on its ongoing investigation into the breach, including estimations of individuals affected and remediation steps it was taking. “Late last week we were informed of claims made in an online forum that a bad actor had compromised T-Mobile systems. We immediately began an exhaustive investigation into these claims and brought in world-leading cybersecurity experts to help with our assessment.”
T-Mobile said it located and immediately closed the access point it believed was used to illegally gain entry to its servers, and while its investigation was still underway, it confirmed that the data stolen included some personal information. “We have no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information,” it said. “Some of the data accessed did include customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpaid customers and prospective T-Mobile customers.” The company also confirmed that approximately 850,000 active T-Mobile prepaid customer names, phone numbers, and account PINs were exposed.
T-Mobile said it would be issuing communications to advise customers on next steps and recommended action to avoid falling victim to follow-on attacks. This included the offer of two years of free identity protection services and advice that all T-Mobile postpaid customers should change their PIN. “This precaution is despite the fact that we have no knowledge that any postpaid account PINs were compromised,” it added. T-Mobile also offered an extra step to protect mobile accounts with its Account Takeover Protection capabilities for postpaid customers and said it would be publishing a unique webpage for information and solutions to help customers take steps to further protect themselves.
Security researcher Brian Krebs advised T-Mobile customers to change their PIN as instructed by T-Mobile, but also advocated removing phone numbers from as many online accounts as possible. “Many online services require you to provide a phone number upon registering an account, but in many cases that number can be removed from your profile afterwards.” Many online services allow users to reset their passwords just by clicking a link sent via SMS, and this widespread practice has turned mobile phone numbers into de facto identity documents, he added. This creates the possibility of losing control over phone numbers “thanks to an unauthorized SIM swap or mobile number port-out, divorce, job termination or financial crisis can be devastating.”
Krebs also warned customers to be on the lookout for related phishing attacks, adding that it is a safe bet that scammers will use some of the exposed information to target T-Mobile users with phishing messages, account takeovers, and harassment. “T-Mobile customers should expect to see phishers taking advantage of public concern over the breach to impersonate the company — and possibly even messages that include the recipient’s compromised account details to make the communications look more legitimate.”
With T-Mobile’s data breach investigation ongoing, the company issued an updated statement detailing another 5.3 million current postpaid customer accounts that had one or more associated customer names, addresses, date of births, phone numbers, International Mobile Equipment Identity (IMEI) and International Mobile Subscriber Identifier (IMSI) numbers illegally accessed. “We also previously reported that data files with information from about 40 million former or prospective T-Mobile customers, including first and last names, date of birth, SSN, and driver’s license/ID information, were compromised. We have since identified an additional 667,000 accounts of former T- Mobile customers that were accessed with customer names, phone numbers, addresses and dates of birth compromised. These additional accounts did not have any SSNs or driver’s license/ID information compromised.” T-Mobile reiterated its confidence that it has closed off the access and egress points the bad actor used in the attack.
T-Mobile was issued two lawsuits following the breach of its data. The first, Espanoza v. T-Mobile USA, claimed that the company put plaintiffs at risk over its failure to adequately protect customers as a result of negligent conduct. “As a result of the data breach, plaintiffs and class members are exposed to a heightened present and imminent risk of fraud and identity theft,” the complaint read.
The second, Durwalla v T-Mobile USA, stated that T-Mobile “failed to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect its customers’ personal information, yet again putting millions of customers at great risk of scams and identity theft.” Both suits seek various actions for violations of the Washington Consumer Protection Act and the California Consumer Privacy Act, including compensation and reimbursement of out-of-pocket costs for efforts to repair any damage caused by the data breach.
In an interview with the Wall Street Journal, a 21-year-old American man living in Turkey claimed to be responsible for the attack on T-Mobile. According to the report, John Binns told reporters that he originally gained access to T-Mobile’s network in July via an unprotected router. “I was panicking because I had access to something big. Their security is awful. Generating noise was one goal,” he is quoted as saying. The attack was apparently carried out in retaliation of how Binns has been treated by US law enforcement agencies in recent years. It remains uncertain whether he acted alone, part of a group, or if any of the stolen data has been sold thus far.
More on hacks and breaches:
Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security.
Copyright © 2021 IDG Communications, Inc.
Copyright © 2021 IDG Communications, Inc.
By Michael Hill