Categories: Security

The T-Mobile Data Breach: Lessons Learned

The majority of our readers will have heard about T-Mobile in one way or the other: the company is said to be the third largest international telecommunications company after UK’s Vodafone and Spain’s Telefónica.

The T-Mobile data breach is said to be one of the worst data breaches that have happened recently. Approximately a year ago, in August 2021, T-Mobile has admitted its systems were subject to a data breach. A hacker could have stolen names, social security numbers, addresses, and information regarding the driver’s licenses of the company’s clients – the breach is also said to affect around 77 million people. Worse yet, T-Mobile has agreed to pay around $350 million in fines surrounding the data breach, but it has also said that it will spend around $150 million to make its security better.

The Data Breach

The T-Mobile data breach is said to have happened somewhere in August 2021. At the 20th of August, the company released a statement saying that it’s continuing to “work around the clock on the forensic analysis and investigation into the cyberattack against T-Mobile systems while also taking a number of proactive steps to protect customers and others whose information may have been exposed.” In the blog, the company has said that it has determined that phone numbers, IMEI and IMSI information were compromised, as well as the fact that millions of customer accounts have been compromised, however, the company said that it has no indication that data contained in any of the stolen data included any financial, credit, debit, or any payment information.

Ongoing investigation into the data breach by T-Mobile has determined that around 49 million people had their personal data stolen. The company has initially posted a statement about the data breach, however, as time went on, they’ve posted an update and confirmed that the data breach affected SSNs, names of customers, their date of birth and driver’s license information for current and former customers.

In 2022, the company confirmed that it has been a victim of the “Lapsus$” hacker group too – it’s said to be a separate incident as well.

According to TechCrunch, in 2022 the hackers going by an alias “Lapsus$” targeted T-Mobile’s source code. The news about hackers in the data breach are said to hit the news when an information security journalist Brian Krebs wrote a blog titled “Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code” in April 2022 where he said that “The logs show LAPSUS$ breached T-Mobile multiple times in March, stealing source code for a range of company projects.”

The Hacker Group “LAPSUS$”

It’s not clear whether LAPSUS$ were the ones responsible for the data breach in 2021, but in his blog, journalist Brian Krebs said that from its inception in December 2021 until its end in March 2022, the hacker group operated on a Telegram channel which had more than 40,000 followers due to the group members leaking huge volumes of data from known corporations like Nvidia, Ubisoft, and Okta. To add to this, according to research done by Brian Krebs, the group had seven “core” members that used private Telegram channels to communicate.

What ultimately made the group known is their ability to steal data and then demanding a ransom not to publish or sell it – some people in the group were said to have stolen and leaked proprietary computer source code from the largest tech companies. Ironically, that’s what’s also led to an unveiling of the group.

The LAPSUS$ hacker group had allegedly planned their final attacks in March 2022 – journalist Krebs also said that the conversations between members of LAPSUS$ suggest that the group frequently obtained access to organizations by purchasing it from websites in the Russian market which sell access to credentials stored on systems.

However, not all operations for LAPSUS$ were very successful – journalists also say that the hackers wanted to socially engineer employees of the company that they target into adding one of their computers or phones into the company’s VPN network, but were not very successful. Some journalists also suggest that LAPSUS$ targeted T-Mobile employees with an aim to pursue SIM-swapping attacks. Such an attack is also known as simjacking and it’s a type of an account takeover attack which aims to reassign a phone number to another device and then intercept messages, calls, or send 2-FA (two factor authentication) emails or messages to another phone (the phone that a nefarious party controls.)

Coming back to T-Mobile, the hackers allegedly accessed the Slack and Bitbucket accounts of the company which means that they did not only pursue their SIM-swapping goals and stole data, but they also could’ve read interactions between the employees of the company and see all of the files associated with the employees of T-Mobile.

The Aftermath

The Data Breach in 2021

In July 2022, some news outlets said that T-Mobile had agreed to give money to customers affected by the data breach in 2021. The news broke after some journalists spotted a SEC filing outlining a class-action settlement. The settlement is said to have split a $350 million payout among the lawyers of T-Mobile – eventually, it should reach the customers of T-Mobile as well – according to TechCrunch, the customers of T-Mobile should know if they will receive money within a couple of months. First, the company has to notify all of their customers who paid for services in August last year, and once they calculate all applicable fees, split the money between them. On the other hand, many people think that the money won’t amount to a huge sum – sure, $350 million is a lot of money, but after all, since there are millions of customers using services provided by T-Mobile, the sum that the company pays is not likely to exceed $10.

The Data Breach in 2022

Regarding the data breach in 2022, the hackers were said to be “in a position” to carry out SIM-swapping attacks, but it’s not clear whether those attacks were successful or not. What is known is the fact that the hackers, unfortunately, were able to steal some source code for certain projects developed by T-Mobile. Some other companies in the list of offenders are said to include Samsung, Microsoft, and Globant.

Here’s what T-Mobile said about the data breach in 2022:

<…> “Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software,” <…> “Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.” <…>

A statement by T-Mobile after the data breach in 2022

Such a statement kind of suggests that the nefarious party used some sort of data that has been stolen in the past to access the servers of the company – and that perfectly outlines the risk of reusing passwords again and again.

Data breaches are not only the result of flaws in software – in many cases, they are a result of re-used passwords. Even though security experts have been warning against doing so for decades ever since data breaches had became a thing, some people, seemingly, still haven’t been able to learn from the mistakes in this area – and sadly, we don’t think this is going to change very soon.

What can change the situation, however, are services that allow your employees to proactively protect themselves from security breaches – one of such services is BreachDirectory. By using services provided by BreachDirectory, your employees can not only know if their account details were compromised after a data breach in the past by using the search engine, but also take action and help you implement a data breach scanner into the ecosystem of your company. It’s all really easy to do – grab an API key, craft a link, and you’re off to a more secure tomorrow. Imagine if every person reading this article contributed to the safety on the web in one way or another: how much safer we would be? Try out the search feature available in BreachDirectory, grab an API key for a more secure future of your company, and we will see you in the next blog!

Nirium

Recent Posts

Schneider Electric: JIRA Server Breached

There have been rumors about a data breach targeting Schneider Electric. Did a data breach…

1 month ago

The Makers of Fiskars Scissors Got Breached: What’s Known

There have been rumors about the Fiskars Group – the company behind Fiskars scissors and…

1 month ago

Russia Fines Google for $20,000,000,000,000,000,000,000,000,000,000,000

Russia has fined Google more than two undecillion roubles because Google has refused to pay…

1 month ago

RockYou 2024.txt Looks Like a Binary File – Here’s Why

Why does RockYou 2024.txt look like a binary file when you open it up? Find…

1 month ago

Duolicious Data Leak: What You Need to Know

Duolicious is a dating app that connects people who are “chronically online.” Did the Duolicious…

1 month ago

What is RockYou 2024.txt and How Did RockYou 2024 Come to Be?

This blog will tell you what RockYou 2024 is, how RockYou 2024.txt came to be,…

1 month ago