Latest T-Mobile Data Breach Has Some Wondering ‘How Lapsus$ Got Access in the First Place’

T-Mobile has confirmed yet another data breach, this time by the Lapsus$ extortion gang, which used stolen credentials and gained access to internal systems.

Saying the hackers didn’t access any customer data, T-Mobile sent us the following statement:

“Several weeks ago, our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information. And we have no evidence that the intruder was able to obtain anything of value. Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”

Brian Krebs first reported the breach after reviewing leaked Telegram chat messages between Lapsus$ members. He said while inside the mobile carrier’s network, the hackers were able to steal proprietary T-Mobile source code.

According to Bleeping Computer, T-Mobile has disclosed six other data breaches since 2018, including one where hackers accessed data belonging to 3% of its customers.

Last August, a data breach impacted more than 53 million T-Mobile customers. It prompted two class-action lawsuits against the carrier.

Lapsus$ also recently targeted Microsoft and Okta with data leaks.

Latest T-Mobile Breach Prompts Questions

Mark Lambert is vice president of products at ArmorCode, an application security provider.

ArmorCode’s Mark Lambert

“While T-Mobile did a great job making sure the ‘intrusion was rapidly shut down and closed off,’ you must ask yourself how did they get access in the first place?” he said. “As organizations like T-Mobile race to deliver features to customers to gain competitive advantage, cracks appear in their security posture. Leveraging cloud with dynamically created container-based infrastructure enables organizations to instantaneously deploy and scale software delivery, but exponentially increases the volume of security findings that are from application security and infrastructure security tools. Organizations need to be leveraging AppSecOps practices as well as DevSecOps to operationalize application security and ensure that they can scale the team’s response to security findings to the same level they have scaled their software delivery.”

Tim Wade is deputy CTO at Vectra.

Vectra’s Tim Wade

“Unsurprisingly, stolen credentials continue to be a preferred method of compromise,” he said. “Perhaps what is surprising for many organizations is just how many risks exist around credentials and how often an inability to effectively gauge risks to their posture, or detect and respond when something goes awry gives an adversary an opportunity to step up to the batter’s box. With enough at-bats, adversaries will get on base. Organizations need to intentionally think long and hard at not only how they’ll manage risks on the front edge, but how they’ll uncover and expel an adversary post-compromise.”

Cyberattacks More Damaging, Complex

Arti Raman is CEO and founder of Titaniam, an endpoint management and security provider.

Titaniam’s Arti Raman

“T-Mobile’s confirmation that the Lapsus$ extortion gang breached its network shows how much more damaging and complex cyberattacks have become as extortion attempts rise in popularity,” she said. “This highlights the importance of technologies like encryption-in-use, also known as data-in-use encryption, which specifically protect against data extortion.”

T-Mobile, which recently failed to buy back stolen data that was being ransomed, is just one example of how double extortion, and even triple extortion, cyberattacks are becoming commonplace, Raman said.

Not only do bad actors steal data for their own malicious usage, she said. They often try to increase their profits by taunting organizations about releasing the data publicly without a hefty payment. Moving to encryption-in-use provides unprecedented immunity.