Vice Motherboard first reported the news, claiming T-Mobile was investigating a post on an underground forum offering for sale Social Security Numbers and other private data. The forum post at the time didn’t name T-Mobile, but the seller told Motherboard the data came from T-Mobile servers. In addition, the seller told Motherboard that 100 million people had their data compromised in the breach. In the forum post, they offered data on 30 million people for six bitcoin, or around $270,000. The seller also said they are privately selling the rest of the data at the moment.

To gain access, explains Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company, an attacker usually creates a backdoor by exploiting a vulnerability or using social engineering to convince an employee to install an infected file that opens up access. 

“Once the attacker has that backdoor access, they can move laterally around the infrastructure to locate highly valuable data,” Schless says. “From there, they can either exfiltrate it or encrypt it to kick off a ransomware attack. If the attacker can swipe employee credentials as part of their initial attack, then their chances of success are that much higher because they’re masked as a legitimate user.” 

Motherboard confirmed samples of the data reviewed did contain accurate information on T-Mobile customers, such as social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver license information.

T-Mobile says the investigation will take some time, and until it is complete, they cannot confirm the reported number of records affected or the validity of statements made by others.

Schless notes that this incident highlights how important visibility and anomalous behavior detection are if an organization wants to implement a security strategy built for today’s threat landscape. “As organizations expand their cloud footprint, enable remote access to on-prem infrastructure, and allow their employees to use personal mobile devices to access company data, they need to implement security and access policies across all of those resources. Understanding exactly how your users, devices, files and services interact is the best way to prevent incidents like this. A cloud security platform that can provide this level of visibility is key to any enterprise security strategy,” he says. “Constant inundation of new point security solutions has put additional pressure on security organizations that are already stressed with maintaining what they have. Teams need to implement a unified platform approach to introduce complexity costs and ensure uniform security and access policies across the infrastructure.”

According to BleepingComputer, threat actors told Alon Gal, CTO of cybercrime intelligence firm Hudson Rock, that they performed this hack to damage U.S. infrastructure. “This breach was done to retaliate against the U.S. for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019. We did it to harm U.S. infrastructure.”

Hitesh Sheth, President and CEO at Vectra, a San Jose, Calif.-based AI cybersecurity company, explains, “T-Mobile’s attackers claim they ransacked company databases as reprisal for U.S. espionage activity. They do not seem to be demanding ransom. If true, it further blurs the lines in cyberwar between government and private assets. Every business has to consider what kind of prize it, too, might represent to threat actors out to score political points.”

Sheth adds, “If privately-owned infrastructure is going to suffer retaliation for things government does, it’s not only imperative that businesses shore up their cyber defenses. It’s vital that deeper, smarter public-private partnerships define cybersecurity norms, roles, and responsibilities. Like it or not, when a critical enterprise is a cyber target, it’s playing a role in national defense.”