Mobile operator T-Mobile US has advised the public that the data breach revealed on a hacker’s forum is genuine. The telco’s ‘preliminary analysis’ confirmed that records relating to 7.8mn postpaid customer accounts and another 850,000 prepaid users were compromised. The hackers also gained visibility of 40mn records, including social security numbers and dates of birth, relating to former or prospective customers who had applied for credit.
An announcement on T-Mobile’s website stated they had closed the access point believed to have been used by the hackers. They also emphasized that there is…
…no indication that the data contained in the stolen files included any customer financial information, credit card information, debit or other payment information.
However, a lot of valuable information was still obtained by the hackers.
Some of the data accessed did include customers’ first and last names, date of birth, SSN [social security number], and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.
Customers at risk have been offered 2 years of McAfee’s identity protection service for free. The PINs of the 850,000 affected prepaid customers were also breached, so T-Mobile has proactively changed them all. T-Mobile say there is no evidence that the PINs of any postpaid customers were compromised but are still recommending that all customers change their PINs anyway.
The anonymous online salesperson claiming to represent the hackers said they gained access via an insecure GGSN, reports GovInfoSecurity.
The individual claims that T-Mobile left a Gateway GPRS Support Node, or GGSN, that was apparently used for testing, exposed to the internet. GGSNs are part of the core infrastructure that connect mobile devices to the internet.
“From there, we pivoted through several different IP addresses and eventually got access to their production servers,” the person says in an instant message.
Eventually, the individual accessed more than 100 servers by brute forcing and using credential stuffing on internal T-Mobile servers, most of which were Oracle databases. None had rate limiting enabled.
T-Mobile’s customers should be aware of the risks of data breaches because they have suffered them several times before. Data for over a million prepaid T-Mobile customers was compromised by bad actors obtaining unauthorized access in 2019. The year before, hackers stole data relating to 2mn T-Mobile customers. And in 2015 credit bureau Experian were hit by a cyberattack that yielded the records of 15mn T-Mobile customers.
The share price of T-Mobile US at market close on Thursday was USD140.87, down 2.8 percent compared to the price at the end of last week, before the news of the hack had broken. There was a sharp drop in the share price when markets opened on Monday but it has remained stable since.
Nobody wants to hear that a security vulnerability allowed hackers to gain access to personal data. However, if we can trust T-Mobile’s figures then the scale of the breach is a lot less than the hackers’ original claims to have stolen the data of 100mn people. Customers may be fed up of hearing about data breaches, but neither they nor investors seem to do much about them. This week’s fall in the value of T-Mobile US shares is just a blip relative to the rise they have enjoyed in recent years. For good or bad, we all seem to treat data breaches as routine.