T-Mobile Investigating Reported Data Breach Involving 100 Million People

T-Mobile Investigating Reported Data Breach Involving 100 Million Customers

Written by Edward Gately
August 16, 2021

One cybersecurity expert said this breach could involve all T-Mobile customers past and present.

T-Mobile is investigating a reported breach in which a hacker claims to be selling the personal information of over 100 million of its customers.

The T-Mobile data breach was first reported by Vice, a U.S.-based digital media outlet. It said a forum post claims to be selling a mountain of personal data. The forum post itself doesn’t mention T-Mobile. However, the seller reportedly said they have obtained data related to over 100 million people. In addition, the data came from T-Mobile servers.

The data includes social security numbers, phone numbers, names, physical addresses, driver licenses information and more, the seller said.

T-Mobile Working ‘Around the Clock’

T-Mobile sent us the following statement:

“We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed. We take the protection of our customers very seriously. And we are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims. And we are coordinating with law enforcement.”

“We have determined that unauthorized access to some T-Mobile data occurred. However, we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed. And we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed. This investigation will take some time, but we are working with the highest degree of urgency. Until we have completed this assessment, we cannot confirm the reported number of records affected or the validity of statements made by others.”

“We understand that customers will have questions and concerns, and resolving those is critically important to us. Once we have a more complete and verified understanding of what occurred, we will proactively communicate with our customers and other stakeholders.”

Retaliation for U.S. Cyber Espionage Activity?

Vectra’s Hitesh Sheth

Hitesh Sheth is president and CEO of Vectra, an artificial intelligence (AI) cybersecurity provider.

“T-Mobile’s attackers apparently claim they ransacked company databases as reprisal for U.S. espionage activity,” he said. “They do not seem to be demanding ransom. If true, it further blurs the lines in cyberwar between government and private assets. Every business has to consider what kind of prize it, too, might represent to threat actors out to score political points.”

If privately-owned infrastructure is going to suffer retaliation for things government does, businesses must shore up their cyber defenses.

“It’s vital that deeper, smarter public-private partnerships define cybersecurity norms, roles and responsibilities,” Sheth said. “Like it or not, when a critical enterprise is a cyber target, it’s playing a role in national defense.”

More Attacks Expected Thanks to Reused Passwords

Approov’s David Stewart

David Stewart is CEO of Approov, an API security provider.

“If this T-Mobile data breach turns out to be genuine, and the initial signs are that it is, it is an alarm call to all enterprises who may share customers with T-Mobile,” he said. “With 100 million users’ data for sale on the dark web, including usernames, passwords and other personal data, all such enterprises should expect script-driven credential-stuffing attacks imminently against their APIs.”

The probability that passwords have been reused across platforms is extremely high, Stewart said. Therefore, some of the T-Mobile credentials will also be valid for other platforms.

All enterprises need to ensure that API calls are authorized by at least one independent authentication factor over and above their standard user authentication method, he said.

One of the Largest, Most Sophisticated Attacks Ever

Gurucul’s Saryu Nayyar

Saryu Nayyar is founder and CEO of Gurucul, a behavior-based security analytics provider. She said that 100 million-plus number seems to indicate that it’s the entire T-Mobile list of customers, present and past. That makes the T-Mobile breach “one of the largest and most sophisticated attacks on record.”

Nayyar said this attack is unique because the attackers are offering to sell the most sensitive data back to T-Mobile.

“This makes it a type of ransomware attack, although it also involves data theft,” she said. “T-Mobile should be wary of doing this, as data [can] be copied and resold outside of any agreement reached. But it seems that hackers believe that a ransomware approach offers a more fruitful means to profit than selling account data on the open market.”