Telecom giant T-Mobile has suffered yet another data breach as hackers misused the company’s API to steal the personal information of 37 million customers. As a result, names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, as well as information about the number of phones connected to the account and the features of the tariff plan were stolen. This is the 8th data breach by T-Mobile in recent years.
What are the prerequisites
In recent years, hackers have become more active, and many data breaches have been reported from all over the globe, despite increased spending on cybersecurity.
Recently, several companies have reported massive data breaches, and there have been reports of state-sponsored hacking attacks against activists, opposition politicians, journalists, foreign diplomats, etc.
During the pandemic, cybercrime has reportedly increased exponentially, with almost every industry affected in one way or another. So the need for high-quality and safe software, including a virtual business phone system, now is only growing.
How it happened
Representatives of T-Mobile did not specify exactly how the attackers were able to use their API, but hackers often find bugs that allow them to extract data without prior authentication.
The T-Mobile investigation showed that since November 25, 2022, attackers have been actively using vulnerabilities in the implementation of one of the company’s APIs, accessible without authorization.
T-Mobile security specialists discovered suspicious activity on this communication channel only on January 5, 2023. They blocked the hackers from accessing the internal network.
In the course of studying the consequences of the incident, it turned out that the attackers managed to download databases from subscribers’ personal data, including full name, home address, email, phone number, date of birth, T-Mobile account number, and information about tariffs and services provided. In total, the data of 37 million postpaid and prepaid customers were leaked.
What’s left safe
The company emphasizes that the API used for the attack did not allow the attacker to gain access to information such as driver’s licenses and other identification data, social security numbers and tax IDs, passwords and PINs, payment card information, and others. account financial information.
“Passwords, credit card information, social security numbers, government identification numbers, or other financial information were not compromised by cybercriminals,” T-Mobile said in an interview with The Wall Street Journal.
“The preliminary result of the investigation showed that the attackers obtained data for approximately 37 million postpaid and prepaid customer accounts, although many of these accounts did not contain the full set of data,” the company writes.
What measures have been taken
Information security specialists of T-Mobile explained that malicious activity in the company’s IT infrastructure related to this incident is currently localized. They did not find evidence that the attackers were able to hack or compromise other IT systems or T-Mobile networks.
It is reported that TT-Mobile has notified the relevant authorities about the incident and is actively working with law enforcement and regulators to investigate the breach of security and leakage of customer data. Affected subscribers, whose personal data could be disclosed as a result of the attack, are already being informed about what happened.
In its press release, T-Mobile said it was informing all affected customers of the data breach and stated that protecting customer data remains its top priority. The company also noted that it is investing significant amounts of money to improve its cybersecurity following previous cybersecurity incidents.
“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is no evidence that an attacker could have compromised or compromised our systems or network,” T-Mobile added.
Were there precedents?
Unfortunately yes, and there were many. Since 2015, the T-Mobile operator has been hacked about a dozen times, and in some cases, the same hackers worked.
For example:
- In 2015, hackers hacked the Experian credit bureau network. The personal data of T-Mobile subscribers were among the 15 million victims of the hacked network.
- in 2018, the data of 3% of all subscribers (about 2 million users at that time) were stolen from the company. Part of the leak then became, among other things, user passwords due to the unreliable MD5 algorithm;
- in 2019, prepaid subscriber data was stolen;
- in March 2020 hackers gained access to the email of one of the employees, and in December 2020 hackers gained access to the private information of subscribers (phone numbers, call logs);
- in 2021, the company was hacked through a vulnerable router and the information of approximately 100 million customers was stolen. The 2021 breach saw T-Mobile pay out more than $350 million to customers who filed a class-action lawsuit after personal information such as Social Security numbers was stolen in the attack;
- in 2022, the company was hacked by the infamous Lapsu$ hacker syndicate, which gained access to the company’s internal tools to carry out so-called “SIM swap” attacks. It is also believed that hackers stole the source code of a number of the company’s projects from T-Mobile, as has been done with other companies such as Samsung, Microsoft, and Globant.
As a result, in 2022 the company paid a $25 million fine to the FCC and agreed to pay $500 million to settle a class action lawsuit by customers. They also prevented the publication of the stolen database by paying the hackers $270,000.
On the other hand, the company tried to buy stolen data from hackers for $200,000, but this event ended in failure. The attackers received the money, but continued to publish customer data and sell leaked files to third parties.
What are the findings?
“We understand that an incident like this has an impact on our customers, and we’re sorry it happened,” T-Mobile said in a statement. “While we, like any other company, are unfortunately not immune from this type of criminal activity, we plan to continue to make significant multi-year investments in strengthening our cybersecurity program.”
In total, T-Mobile has more than 110 million subscribers in the US. This is the second major security breach at the company in two years.