T-Mobile hacked again; hackers accessed customer information

To close out the year, U.S. telecommunications giant T-Mobile announced it had been hacked. In a notice, the company said its cybersecurity team had discovered and shut down malicious, unauthorized access to some information related to T-Mobile accounts.

According to the notice, the data accessed did not include names on the account, physical or email addresses, financial data, credit card information, social security numbers, tax ID, passwords, or PINs. However, "customer proprietary network information (CPNI) as defined by the Federal Communications Commission (FCC) rules was accessed. The CPNI accessed may have included phone number, number of lines subscribed to on [user] account and, in some cases, call-related information collected as part of the normal operation of [user] wireless service."

The cell carrier noted it had started an investigation as soon as the hack was discovered, with assistance from cybersecurity forensics experts, to determine what happened and what information was involved. T-Mobile also notified federal law enforcement as well as impacted customers.

In 2018, T-Mobile admitted hackers had breached its email systems, exposing names, billing zip codes, phone numbers, email addresses, account numbers and account types. In March 2020, the company also disclosed a security breach, affecting employee email accounts and user data.

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, says, “While it appears that the attackers weren’t able to collect any highly sensitive personal data of T-Mobile customers, there is still risk posed to those whose phone numbers were stolen in the breach. An area code is all an attacker needs to carry out a socially engineered mobile phishing attack. Lookout discovered a mobile phishing campaign in February 2020 that associated area codes with popular banks in the area to try to phish mobile banking login credentials."

Schless adds, "The attacker can pretend to be T-Mobile support over voice or text in order to get customers to share their login credentials. Since customers know there was a recent security incident, they may not think twice before engaging with an individual who claims they can help. If this were successful and the attacker made their way into the customer’s account, they could have access to sensitive information associated with the account. Mobile phishing represents one of the biggest security blind spots for individuals and enterprise security teams alike. Since it can be incredibly difficult to identify phishing attempts on smartphones and tablets, it’s more important than ever to have mobile phishing protection on all of your mobile devices.”

Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, notes, “The volume of attacks and successful attacks against wireless carriers continues to rise. In this particular case, one has to wonder if it is related to the merging of two titans. Sprint had a series of issues last year and this is a another in a list of success attacks on T-Mobile. In our industry, when issues continue regardless of impact, we usually go back to the drawing board. It feels like there is an opportunity here to review the foundations of cyber relative to the merged entity and find out where quick wins can be had to shore up defenses. With the volume of successful attacks that we are seeing, either they are suffering from consistent advanced persistent threats or there is something easily exploited that is being overlooked.”

Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, adds, “It's important that in industry we don't dog pile on every breach with accusations of failure. The correct lens to view this event through is the impact, not prevention – prevention will always fail eventually. Given that the reported impact of this breach appears to be significantly less impactful than prior breaches, this could be an indication that the investments that T-Mobile has made in cyber-resilience are paying dividends even if there may still be opportunities for further progress ahead.”

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

A head of state needs heart surgery at your facility. High-profile members of a national sports team are getting updated vaccinations. What do you do when you get the call?