Google Fi breach linked to SIM swapping attacks. No such thing as small data. Hackers put the brakes on UK car retailer’s operations.

Summary

By the CyberWire staff

At a glance.

Google Fi breach linked to SIM swapping attacks.
No such thing as small data.
Hackers put the brakes on UK car retailer’s operations.

Google Fi breach linked to SIM swapping attacks.

As we noted yesterday, Google’s telecommunications service Google Fi has disclosed that some customer data were exposed as a result of the recent T-Mobile data breach. SIM card serial numbers were among the compromised data, and Google Fi has issued a warning that this info allowed threat actors to conduct SIM swap attacks on some customers.

As Bleeping Computer explains, SIM swapping attacks involve threat actors tricking mobile carriers to port a customer's phone number to a mobile SIM card under the attacker's control. In order to do this, the hacker poses as the customer, using personal data stolen through social engineering or phishing scams (or in this case, the Google Fi breach) to gain credibility. Once the number is ported, the attackers can access the victim's text messages and multi-factor authentication codes, which opens the door for a variety of other crimes.

Google has sent the potential SIM swap victims a special notification reading, “On January 1, 2023, for about 1 hour 48 minutes, your mobile phone service was transferred from your SIM card to another SIM card. During the time of this temporary transfer, the unauthorized access could have involved the use of your phone number to send and receive phone calls and text messages.” Some victims have already taken to social media to discuss the ordeal, with one Google Fi customer posting on Reddit that a hacker took over “three of my online accounts -- my primary email, a financial account, and the Authy authenticator app, all because they were able to receive my SMSes and therefore defeat SMS-based 2-fac."

No such thing as small data.

The nonprofit Identity Theft Resource Center released its Annual Data Breach Report, and it lists the main sources for data used in social engineering attacks last year. Topping the chart were Twitter, Neopets, AT&T Data, and Cash App. Some might find these results surprising, given that the data users share on some of these platforms is not considered highly sensitive, but researchers say resourceful cybercriminals can find a way to turn even seemingly trivial data into a payday. Eva Velasquez, president and CEO of the Identity Theft Resource Center, told CBS17.com, “Things like our behaviors, our likes and dislikes — that data has value and its being used in social engineering attacks.” She says threat actors can use such data to build behavioral profiles on their victims, making it easier to track their activities or pose as them for identity fraud scams. Her advice for individuals looking to protect themselves: “Be careful about what you share and don’t put everything on social media. Adopt a zero-trust approach. If you get an email, phone call or text, don’t automatically assume because they have a little information on you that you’re talking to whoever they say they are.”

Hackers put the brakes on UK car retailer’s operations.

Leading UK car dealer Arnold Clark has disclosed it suffered a cyberattack in December at the hands of the Play ransomware group, Bleeping Computer reports. In customer notification emails sent this week, the company stated, "During this incident, it appears that some personal data stored in our network may have been stolen, including names, contact details, dates of birth, vehicle details, ID documents (such as passports and driver's licenses), National Insurance numbers (in limited cases) and bank account details.”

A day after the attack was detected, Arnold Clark disconnected its systems from the web and has been working to restore the compromised systems in order to rebuild its "network in a new segregated environment." The police and the UK Information Commissioner's Officer have been notified of the incident, and an investigation is underway to determine the full scope of breach. In the meantime, the car retailer is warning customers of the potential threat of phishing attacks or other scams connected to the compromised data.

Erfan Shadabi, cybersecurity expert with data security specialists comforte AG, commented on the Arnold Clark incident. “This incident emphasizes just how important it is for retailers to protect customer data effectively," Shadabi wrote. "These industries thrive on online transactions, which also requires them to collect sensitive PII that threat actors are always targeting. Organizations need to do their due diligence, understand the true nature of the sensitive data they protect, and find the right methods to guard the data itself rather than just the borders around it. Data-centric security like tokenization and format-preserving encryption isn’t just for the gargantuan enterprises spanning the globe—even a small- or medium-sized organization can suffer a large-scale attack on their data—to devastating consequences, unless of course a smart data-centric security strategy stands in the way.”

Selected Reading

Data breaches now include 'less sensitive' information but still proving valuable to hackers (CBS17.com) It’s not just online activities that expose people to data breaches, but it’s everyday activities such as driving a car, going food shopping or dining out.

US manufacturing & utility businesses leaked nearly 38 million records in 136 data breaches in 2022 (Comparitech) Over the last three years, US businesses that specialize in manufacturing and utilities have suffered 562 data breaches affecting nearly 91 million records. Based on the average cost per breached record (as reported by IBM each year), we estimate these breaches may have cost these businesses more than $14.7 billion. In 2022 alone, 136 data […]

Arnold Clark customer data stolen in attack claimed by Play ransomware (BleepingComputer) Arnold Clark, self-described as Europe's largest independent car retailer, is notifying some customers that their personal information has been stolen in a December 23 cyberattack claimed by the Play ransomware group.

School districts in Tucscon, Nantucket are responding to active ransomware attacks (Axios) Nantucket Public Schools canceled classes Wednesday as it responds the ongoing incident.

Mortgage Financial Technologies Company Exposed Hundreds of Thousands of Records Online (Website Planet) Security researcher Jeremiah Fowler together with the Website Planet research team discovered an open and non-password protected database that

Google Fi data breach let hackers carry out SIM swap attacks (BleepingComputer) Google Fi, Google's U.S.-only telecommunications and mobile internet service, has informed customers that personal data was exposed by a data breach at one of its primary network providers, with some customers warned that it allowed SIM swapping attacks.

Password-stealing “vulnerability” reported in KeePass – bug or feature? (Naked Security) Is it a vulnerability if someone with control over your account can mess with files that your account is allowed to access anyway?

Dumped data shows widespread surveillance of Russian citizens (Computing) Hacking collective CAXXII has released around 128GB of data from Russia, which appears to reveal a vast domestic surveillance routine of civilians and private enterprises throughout the country.

GoodRx Leaked User Health Data to Facebook and Google, F.T.C. Says (New York Times) The popular drug discount app deceptively shared details on users’ illnesses and medicines with ad firms, regulators said in a legal complaint.