At a glance.
- T-Mobile confirms data breach.
- Alleged no-fly list found unprotected on the web.
- Update: Colonial Pipeline attack leaked personal data.
- Pearson learns the cost of a data breach.
T-Mobile confirms data breach.
Responding to reports that a hacker claimed on an underground forum to have stolen the data of 100 million T-Mobile customers, the cell service provider has confirmed a breach did, in fact, occur, but says they’re still determining whether customer personal data were obtained, CNET reports. T-Mobile states, “We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed.” Wired asserts this breach is especially noteworthy because the compromised Social Security numbers, phone numbers, addresses, and driver's license info are the ideal ingredients for a smishing or identity theft operation. The hacker also acquired IMEI numbers, unique mobile device identifiers which could be used to deploy a SIM-swap attack. “This could lead to account takeover concerns, since threat actors could gain access to two-factor authentication or one-time passwords tied to other accounts...using a victim’s phone number,” explained Abigail Showman, team lead at Flashpoint.
Felipe Duarte, security researcher at Appgate, observes that, should it be determined that personal information were accessed, it could be expected to be used in spearphishing campaigns:
"From a Malware Analyst point of view this is extremely valuable for targeted attacks like 'Spear Phishing,' in which an attacker uses social engineering to craft a spam email (or any electronic communication form really) to steal information or propagate a malware/phishing.
"An attacker with this information can craft a spam message with very specific information about their victim, convincing their target to open an attachment or open a malicious link in the browser. For instance, it's very common to receive malicious emails about a traffic ticket or a possible irregularity in your documents or vehicle. You can imagine how believable this would be if it contained your driver license's information.
"There are many implications for having this kind of data published. Attackers can use stolen documents to request credit cards or phone numbers using another person's name. There is also identity theft, and the obvious privacy violation, as no one wants someone with malicious intentions to know that amount of information. But from a Malware actor's point of view, the value of this information is mostly to craft campaigns filled with personal information to trick their targets."
John LaCour, Founder and CTO at PhishLabs, counsels caution, but explains what the implications of a major compromise would be for T-Mobile and its customers:
"We don’t know yet if this is a legitimate breach, but reportedly, samples of the data appear to be authentic. If it is genuine, then this represents a problem for both T-Mobile and the individuals whose data has been compromised. Many of us use our mobile phones for two-factor authentication to the services we use in our lives. The breached data might be used by attackers to port phones from T-mobile to phones controlled by attackers, bypassing two-factor authentication. At a minimum, simple identity theft such as applying for credit as someone else could be performed using the breach data."
We also heard from Neil Jones, cybersecurity evangelist at Egnyte, who sees a lesson here in the need to partition data:
"Although the technical details of this potential attack are still being researched, this is a classic example of the need for organizations to partition data, and store highly-sensitive information such as driver's license, IMEI, and social security numbers separately from primary identification information such as names, addresses and phone numbers. The easier it is for a potential attacker to "mine" a company's data, the more likely they're able to generate financial gain on the dark web. This is also a stark reminder that highly-sensitive data should always be categorized by your users' 'business need to know,' to prevent potential internal threats."
Amy Keller, Partner and Leader of DiCello Levitt Gutzler’s Cybersecurity and Technology Law group, sent some comments on the likelihood of litigation over this incident, should it develop into a significant breach of personal information:
“If the hackers’ claims are true, it’s shocking that one of T-Mobile’s databases held sensitive information like dates of birth, drivers’ license numbers, social security numbers, and plaintext security PINs—going back to the 1990s. This goes against all guidance regarding data minimization, and storing sensitive information in plain text format is a clear no-no.”
“Consumers are sick and tired of data breaches, and statutes like the CCPA provide real teeth to demonstrate how important this data is to consumers. Statutory damages provide meaningful relief, and companies shouldn’t be storing data carelessly.”
Alleged no-fly list found unprotected on the web.
Bleeping Computer reports an unsecured Elasticsearch cluster containing what appears to be a secret terrorist watchlist was found by Security Discovery researcher Bob Diachenko. The database consisted of classified "no-fly" records including names, citizenship, gender, dates of birth, and passport information, but it has not been confirmed whether the database is connected to a government agency. Though Diachenko reported the leak to the US Department of Homeland Security immediately, the database was not taken down until about three weeks later. Diachenko asserts, "In the wrong hands, this list could be used to oppress, harass, or persecute people on the list and their families."
James McQuiggan, security awareness advocate at KnowBe4, reminds us, again, that securing data in the cloud is the responsibility of those who put the data there:
“Two of the Open Web Applications Security Project (OWASP) recommendations focus on preventing unauthorized access to the data and applications. Considering this search was discovered by utilizing commercial Open Source Intelligence and discovery tools, it is likely this may have been visible and downloaded by cyber criminals.
"Whenever organizations upload data to be accessible via the cloud, all data must be secured and restricted to authorized users to reduce the risk of a sensitive data leak.
"With proper and robust security education and training, developers can understand and implement effective access and identity management controls, which support the organization's policies to protect all uploaded data. These actions will reduce these risky events and avoid reputational damage for the organization.”
Update: Colonial Pipeline attack leaked personal data.
This year’s DarkSide ransomware attack on the US’s Colonial Pipeline disrupted fuel services across the country’s east coast, causing fuel prices to soar and compelling the fuel provider to pay the attackers a $4.4 million ransom. Now a spokesperson has divulged to CNN that the attackers also gained access to the personal data of around 6,000 individuals. The exposed data include names, birth dates, and government-issued ID numbers, mostly of employees and their dependents, though The Daily Signal explains not all of this info was compromised for every individual. “We have begun the process of directly notifying individuals whose relevant personal information was acquired, and we are offering complimentary credit monitoring services to those individuals,” a spokesperson stated. As Bleeping Computer recounts, the media attention led DarkSide to shutter operations, but experts say new threat group BlackMatter is likely just DarkSide with a makeover.
Pearson learns the cost of a data breach.
Bleeping Computer shares that leading education publisher Pearson will be paying $1 million civil penalty money for allegedly attempting to conceal a 2018 data breach that exposed the data of 13,000 customer accounts. Pearson agreed to the settlement “without admitting or denying the findings,” but Kristina Littman of the US Securities and Exchange Commission explains “As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then Pearson understated the nature and scope of the incident, and overstated the company's data protections."
Keep your enemies closer.
Apple recently sued device virtualization company Corellium on the grounds that Corellium’s virtual iPhones violated Apple’s intellectual property, a claim that was thrown out by a federal judge who ruled that Corellium’s products fall under the fair use doctrine of copyright law. In a case of karmic retribution, the Washington Post reveals Corellium is offering grants to support “independent public research into the security and privacy of mobile applications,” including investigating Apple’s controversial new child protection features. Corellium announced, “We applaud Apple’s commitment to holding itself accountable by third-party researchers. We believe our platform is uniquely capable of supporting researchers in that effort.”