At a glance.
- T-Mobile investigates possible data breach.
- Apple explains child protection measures.
- Facebook on child safety.
- DocuSign phishing campaigns.
T-Mobile investigates possible data breach.
If the (allegedly) responsible hoods who claim to have the data are to be believed, a breach of T-Mobile’s servers has put 100 million customers’ data at risk, BleepingComputer reports. Names, social security numbers, birth dates, driver’s license numbers, phone numbers, and security PINs are allegedly among the loot, as are the codes used to identify subscribers and their phones. Motherboard authenticated samples of the pilfered data as T-Mobile clients’. The telecom is “actively investigating.”
The hackers said they did not seek ransom, instead listing the data on dark forums. They disclosed a revenge motive to Hudson Rock CTO Alon Gal, centered on the CIA’s treatment of a Turkish resident in 2019, and a goal of “harm[ing] US infrastructure.”
One tranche of data is listed for 6 Bitcoin, according to Vice, while the remainder is for the time being available only through “private” channels. T-Mobile has apparently shut off access to its servers, but not before the crooks secured their haul “in multiple places.”
The breach, if it occurred as feared, has the potential to be a large one, affecting more than a hundred-million customers. The story is developing, but we've received a great deal of industry comment on it.
Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network, offered a preliminary assessment in an email early this morning, emphasizing the importance of not jumping to conclusions:
"Given that the offer seems to be new and unique, the price is very cheap: just 1 cent per victim. The records, which allegedly contain such extremely sensitive data as social security numbers and full histories of mobile phone usage, can be exploited to conduct targeted mobile attacks, social engineering, sophisticated phishing campaigns or financial fraud. Worse, the records reportedly encompass data from 2004 to 2021 and can cause extreme invasion of privacy or be used for blackmailing of wealthy victims.
"Based on the available technical information, it seems pretty likely that a supplier of T-Mobile could have unwittingly facilitated or caused the data breach. If so, it will be another grim reminder about the importance of Third-Party Risk Management (TPRM) programs and risk-based vendor vetting. From a legal viewpoint, if the information about the breach is confirmed, T-Mobile may face an avalanche of individual and class action lawsuits from the victims, as well as protracted investigations and serious monetary penalties from the states where the victims are based.
"Nonetheless, it would be premature to make conclusions before T-Mobile makes an official statement on the quantity and nature of the stolen data. The potential victims should refrain from panic and contact T-Mobile asking what type of intermediary support and compensation may be provided while the investigation is in progress. Some remediate actions, such as changing your driving license, may be time-consuming and costly, and I’d not precipitate here unless T-Mobile undertakes to cover the costs or confirm that the information was actually stolen.”
Jack Chapman, Egress VP of Threat Intelligence, emailed to express the seriousness of the incident, if it develops along the lines of the worst fears:
“This could be one of the most serious leaks of consumers’ sensitive information we’ve seen so far this year, potentially affecting 100 million people. Cybercriminals are using T-Mobile’s data to line their pockets, and unfortunately, it’s T-Mobile’s customers who will pay the price.
"The data leaked in this breach is reported as being already accessible to cybercriminals, who could now weaponize it to formulate sophisticated phishing attacks targeting the victims. In light of this, I would urge any customers who have been affected by this breach to be wary of any unexpected communications they might now receive, whether that’s over email, text messages or phone calls. Follow-up attacks may utilize the information accessed through this data breach to trick people into sharing more personal data that can be used for identity and financial fraud.
"This highlights the need for organizations such as T-Mobile to put in place the right technology to secure their sensitive data and defend their employees and their company from targeted attacks by cybercriminals. It’s time for organizations to take responsibility and ensure they’re keeping their customers’ data out of the hands of cybercriminals."
David Stewart, CEO of Approov, points out that anyone who's been reusing passwords should take note:
"If this T-Mobile data breach turns out to be genuine, and the initial signs are that it is, it is an alarm call to all enterprises who may share customers with T-Mobile. With 100M users' data for sale on the dark web, including usernames, passwords and other personal data, all such enterprises should expect script driven credential stuffing attacks imminently against their APIs.
“The probability that passwords have been reused across platforms is extremely high and therefore some of the T-Mobile credentials will also be valid for other platforms. This would be a truly excellent time for all enterprises to ensure that API calls are authorized by at least one independent authentication factor over and above their standard user authentication method."
Saryu Nayyar, Gurucul's CEO, agrees that, if the breach is confirmed, it seems likely to extend to T-Mobile's entire customer base. She also notes that it's interesting to see the attackers offer to sell the data back to T-Mobile:
“T-Mobile is investigating a breach involving 100 million accounts, all with highly personal information attached to them, including Social Security numbers, driver’s license information, names, and addresses. That number seems to indicate that it is the entire T-Mobile list of customers, present and past, making it one of the largest and most sophisticated attacks on record.
“While we have seen similar breaches with large numbers of accounts, this one is unique in that the attackers are offering to sell the most sensitive data back to T-Mobile. This makes it a type of ransomware attack, although it also involves data theft. T-Mobile should be wary of doing this, as data and be copied and resold outside of any agreement reached. But it seems that hackers believe that a ransomware approach offers a more fruitful means to profit than selling account data on the open market.”
Doug Britton, CEO of Haystack Solutions, finds the reports worrisome for the potential effect a breach at a mobile provider might have on multi-factor authentication:
“This is a very frustrating report. Mobile devices are key to many 2-factor authentication protocols. That makes this breach highly significant. If this breach is verified, it is another alarming event in a series of headlines that are eroding trust in privacy and data security. Corporations need to significantly develop cyber talent. This is an area that takes targeted and sustained investment.
“In general, we need to dramatically increase our pipeline of talent entering and expanding the cyber workforce. We have the tools to find cyber talent regardless of background. We need to collectively take action to leverage these tools and accelerate the talent development needed to combat data breaches and ransomware attacks or we risk eroding consumer confidence and suffering future exploits.”
Ron Bradley, VP at Shared Assessments, strikes a note of regret:
“The sad reality is, there are very few of us that haven't had our personal information compromised (likely multiple times). It's incumbent upon all consumers to take basic steps to protect themselves such as freezing their credit, using password managers, creating at least one throwaway email address, and being on the lookout for techniques such as SIM swapping (particularly in the case of T-Mobile users).“
Tom Garrubba, CISO at Shared Assessments, adds how ransomware-as-a-service operators are growing increasing brazen in their approach:
“We are seeing these RaaS organizations becoming increasingly bold in their ransom efforts, and it appears (according to the Motherboard report) that the seller claimed they’ve 'lost access to the backdoored servers,' indicating they’ve been detected. This poses the question: what techniques does T-Mobile (or any other organization, for that matter) require to prevent threat actors from coming through the 'back door?' While threat actors need only to be successful once in compromising data, organizations need to be on their toes constantly and must consistently revisit their tools and techniques to ensure they’re covering all exposure points to their crown jewels - their customer or proprietary data.”
And, finally, Garret Grajek, CEO of YouAttest, says that, given the way threat actors are constantly scanning you for weaknesses, you should be doing the same:
“[Any] enterprise needs to be aware that hackers are constantly scanning our sites and resources for weaknesses. Zero Day threats are real - where hackers are identifying known and unknown weaknesses. Thus, we have to be cognitive of the attacker 'cyber kill chain' - where attackers step through a process of reconnaissance, intrusion, exploitation - which eventually leads to privilege escalation and lateral movement across the enterprise in search of data like this T-mobile data. Enterprises should focus upon their current access policies and triggers on changes to identities in key groups to harden IT system security.”
Apple explains child protection measures.
Bloomberg says Apple is marching ahead with its 2021 launch of a triad of child protection features despite criticism that the measures will weaken encryption and user privacy. The characteristically privacy-friendly tech giant is training employees to calm customers’ worries, growing its child protection team, and engaging an unnamed “independent auditor” to review the rollout. The auditor will check that the CSAM database used to screen iCloud photos—and compiled with the assistance of the National Center for Missing and Exploited Children and other unspecified organizations, including “groups in regions operated by different governments”—contains nothing other than CSAM.
Apple also released a document titled “Security Threat Model Review of Apple’s Child Safety Features” that explains the functionality and privacy mechanisms of the new Messages and iCloud Photos tools. The document stresses the values of transparency, confidentiality, consent, and control, and clarifies the role of foreign governments in the CSAM database. Only hashes flagged by two or more organizations from two or more countries will be included. The document also attends to the possibility of covert changes to the database or matching software, and to fears that the matching process could collect additional information.
Facebook on child safety.
Not to be outdone, Facebook’s Safety Center is promoting child protection resources and a “zero-tolerance” stance on exploitation. Among the Center’s advertised design principles is “responsible empowerment,” described as the commitment to “responsibly empowering young people to enjoy the many benefits our platforms provide.”
DocuSign phishing campaigns.
Eddy Bobritsky, CEO of Minerva Labs observes that DocuSign email notifications have become part of a trend toward more sophisticated and convincing forms of phishing:
"Over the last few years threat actors become more and more sophisticated, and found new methods to disguise themselves from security tools. Legitimate tools are being used to hide malicious code, and by those tricky methods, security tools are having a hard time detecting them. We can even see malicious ways to hide code in GIF files that are tricking the user to install a malware by itself, masquerading as legitimate software.
"Because new and evasive ways will always be invented by bad actors, it is important not to rely only on detection and response tools which work in a way that requires the initial stage of the attack to start by identifying it. The only way to truly protect any organization is by using prevention tools that prevent attacks before execution, and by that – before any damage has happened."