T-Mobile confirmed a data breach affecting more than 47 million records after hackers offered customer data for sale online.
The data breach, detailed by the mobile carrier on Aug. 17, affects 7.8 million accounts of current customers and 40 million records of former and prospective customers, the company said. Hackers claimed to have stolen records belonging to more than 100 million T-Mobile users, while the company has about 102 million current customers.
The company also had a data breach in 2018, affecting about 2 million customers.
T-Mobile said it had fixed the problem that led to the breach. In addition, the company said it has "no indication" that the breach included customer financial information or credit card information. However, the breach included customer names, dates of birth, Social Security numbers, and driver's license information.
The carrier will offer affected people two years of free identity protection services. In addition, the company recommended that all postpaid customers change their account PINs. The company has reset the PINs of about 850,000 prepaid customers.
While a breach at a mobile carrier leaves customers open to some of the same ID theft risks at other companies, some cybersecurity experts suggested the stolen information could expose T-Mobile customers to account takeovers through a method called a SIM-swapping attack. Typically, in a SIM-swapping attack, criminals use social engineering techniques to convince the mobile carrier to port the targeted customer's phone number to the criminal's SIM card.
"At first sight, this is no different from many of the other ongoing data breaches, but this changes when we think about what can be done with this data," said Yehuda Lindell, CEO of cryptography vendor Unbound Security. The compromised data "includes everything that attackers would need to take over a victim's mobile account via a SIM-swapping attack."
After the attacker takes over the victim's phone account, he then can reset the victim's email and social media accounts, often authenticated using a one-time password sent by SMS to the victim's phone number, Lindell added.
The breach raises concerns about identity fraud, identity theft, and account takeover, added Baber Amin, COO at Veridium, a passwordless security vendor.
"This same information can be used to obtain utility accounts in others' names, file taxes to steal refunds, obtain loans, and in certain cases even apply for mortgages and equity lines in the names of real owners," he told the Washington Examiner.
Meanwhile, he noted that account takeover could be used to access loyalty accounts for airlines, hotels, and other services.
Mobile data theft is especially problematic because phone numbers are often used as part of two-factor authentication for other services, added Doug Britton, CEO of Haystack Solutions, which conducts aptitude assessments for potential cybersecurity workers.
"The mobile phone is a significant part of what we all know as a secure passcode channel," he told the Washington Examiner. "Compromising that could make other unrelated accounts vulnerable."
The theft of personal data means T-Mobile customers are likely to be the targets of identity theft and other cybercrimes for a long time, added Richard Blech, CEO of encryption vendor XSOC Corp.
"That data will remain useful and valuable for years to come," he told the Washington Examiner. "Given the nature of the data that was exposed in this breach, there would be almost a 100% certainty that the stolen PII will be used by bad actors, not only on account takeover but further access to the victims' other repositories, such as their online banking."
Blech called on T-Mobile to investigate and fix the problem so that it doesn't happen again. In addition to providing affected customers with data protection services, the carrier should focus on training employees about data security, he recommended.
Washington Examiner Videos
Original Author: Grant Gross
Original Location: T-Mobile customer breach raises fears of account takeovers