Wednesday, August 25, 2021
David Stewart, chief executive officer at Approov, described the T-Mobile breach as an alarm call to all enterprises that share customers with T-Mobile. "With 100M users' data for sale on the dark web, including usernames, passwords and other personal data, all such enterprises should expect script driven credential stuffing attacks imminently against their APIs," he said.
Stewart went on to say passwords are frequently reused across platforms, which makes T-Mobile credentials valid for other platforms. "This would be a truly excellent time for all enterprises to ensure that API calls are authorized by at least one independent authentication factor over and above their standard user authentication method," he said.
After confirming reports of a data breach on Aug. 17, 2021, T-Mobile has been providing updates on its website, stating it will continue "to work around the clock on the forensic analysis and investigation into the cyberattack against T-Mobile systems while also taking a number of proactive steps to protect customers and others whose information may have been exposed."
In an Aug. 20, 2021, Washington Post article, titled "Here's what to do if you think you're affected by T-Mobile's big data breach," journalist Chris Velazco reported the T-Mobile event is the fifth consecutive incident for the mobile carrier over a five-year span.
Attackers gained access to "full names, date of birth, Social Security numbers, information from driver's licenses as well as unique identifiers for customers' phones were leaked, potentially putting millions of those at a greater risk of identity theft," Velazco wrote. "Unfortunately, dealing with data breaches is nothing new for the company – or its customers," he wrote.
AT&T, on the other hand, issued a short statement on Aug. 20, 2021, denying cyberattack reports despite mounting evidence that the company's network was breached by ShinyHunters, a known threat actor. "Based on our investigation today, the information that appeared in an internet chat room does not appear to have come from our systems," AT&T representatives stated.
ShinyHunters has previously taken credit for attacks on Microsoft, Mashable and other high-profile brands, according to Sven Taylor, founder at RestorePrivacy, a privacy and security resource center.
In an Aug. 19, 2021, post titled "Exclusive: Hacker selling private data allegedly from 70 million AT&T customers," Taylor indicated that ShinyHunters posted sample data from approximately 70 million stolen AT&T accounts on an underground hacking forum. "We analyzed the data and found it to include Social Security numbers, date of birth, and other private information," Taylor wrote. "The hacker is asking $1 million for the entire database."
Taylor urged AT&T customers to be vigilant and react quickly to suspicious activities, stating a security breach puts them at risk for identity theft, phishing attempts, social engineering attacks, hacked accounts and Social Security scams. "The website haveibeenpwned.com/ , which is maintained by cybersecurity researcher Troy Hunt, is a useful tool to check if your personal information has been compromised," he wrote.
iTechPost blogger Czarina Grace Del Valle, shared additional tips in her Aug. 19, 2019, post titled "Are You Affected by the T-Mobile data breach? Four Ways to Protect Yourself if You're Exposed." Freeze your credit with all three reporting agencies, Transunion, Equifax and Experian, she advised, and constantly check credit reports and bank statements. Inspect any strange bills and always be careful, she added.
"Whether or not you are a victim of the T-Mobile leak, you should be extra careful of your identity," Del Valle wrote. "Try to maintain good security habits like changing passwords regularly and not using public Wi-Fi for sensitive business transactions."
Washington Post's Velazco recommended rethinking two-factor authentication, pointing out that bad actors who have stolen customer data and swapped a mobile phone's SIM can easily pose as their victims.
"Let's say an attacker manages to obtain your name, date of birth and Social Security number — if they luck out and find your address and reused password in other data dumps, that might be enough to give them access to your T-Mobile account," Velazco wrote. "If that happens, you could be vulnerable to what's called a SIM-swap attack, in which the hacker manages to switch control of your phone number to a phone they control."
As cyclical security breaches continue to roil mobile carriers, retailers and service providers, attackers are emboldened by their success and increasingly ransom massive swaths of data, experts have noted.
Saryu Nayyar, chief executive officer at Gurucul, advises victimized companies not to cave in to ransom demands. "While we have seen similar breaches with large numbers of accounts, this one is unique in that the attackers are offering to sell the most sensitive data back to T-Mobile," she said. "This makes it a type of ransomware attack, although it also involves data theft. T-Mobile should be wary of doing this, as data can be copied and resold outside of any agreement reached."
Doug Britton, chief executive officer at Haystack Solutions, agreed, emphasizing the need for fresh talent in the cybersecurity workforce. "We have the tools to find cyber talent regardless of background," he said. "We need to collectively take action to leverage these tools and accelerate the talent development needed to combat data breaches and ransomware attacks or we risk eroding consumer confidence and suffering future exploits." 
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
