T-Mobile is investigating a reported breach in which a hacker claims to be selling the personal information of over 100 million of its customers.

The T-Mobile data breach was first reported by Vice, a U.S.-based digital media outlet. It said a forum post claims to be selling a mountain of personal data. The forum post itself doesn’t mention T-Mobile. However, the seller reportedly said they have obtained data related to over 100 million people. In addition, the data came from T-Mobile servers.

The data includes social security numbers, phone numbers, names, physical addresses, driver licenses information and more, the seller said.

T-Mobile Working ‘Around the Clock’

T-Mobile sent us the following statement:

“We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed. We take the protection of our customers very seriously. And we are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims. And we are coordinating with law enforcement.”

“We have determined that unauthorized access to some T-Mobile data occurred. However, we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed. And we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed. This investigation will take some time, but we are working with the highest degree of urgency. Until we have completed this assessment, we cannot confirm the reported number of records affected or the validity of statements made by others.”

“We understand that customers will have questions and concerns, and resolving those is critically important to us. Once we have a more complete and verified understanding of what occurred, we will proactively communicate with our customers and other stakeholders.”

Retaliation for U.S. Cyber Espionage Activity?

Vectra’s Hitesh Sheth

Hitesh Sheth is president and CEO of Vectra, an artificial intelligence (AI) cybersecurity provider.

“T-Mobile’s attackers apparently claim they ransacked company databases as reprisal for U.S. espionage activity,” he said. “They do not seem to be demanding ransom. If true, it further blurs the lines in cyberwar between government and private assets. Every business has to consider what kind of prize it, too, might represent to threat actors out to score political points.”

If privately-owned infrastructure is going to suffer retaliation for things government does, businesses must shore up their cyber defenses.

“It’s vital that deeper, smarter public-private partnerships define cybersecurity norms, roles and responsibilities,” Sheth said. “Like it or not, when a critical enterprise is a cyber target, it’s playing a role in national defense.”

More Attacks Expected Thanks to Reused Passwords

Approov’s David Stewart

David Stewart is CEO of Approov, an API security provider.

“If this T-Mobile data breach turns out to be genuine, and the initial signs are that it is, it is an alarm call to all enterprises who may share customers with T-Mobile,” he said. “With 100 million users’ data for sale on the dark web, including usernames, passwords and other personal data, all such enterprises should expect script-driven credential-stuffing attacks imminently against their APIs.”

The probability that passwords have been reused across platforms is extremely high, Stewart said. Therefore, some of the T-Mobile credentials will also be valid for other platforms.

All enterprises need to ensure that API calls are authorized by at least one independent authentication factor over and above their standard user authentication method, he said.

One of the Largest, Most Sophisticated Attacks Ever

Gurucul’s Saryu Nayyar

Saryu Nayyar is founder and CEO of Gurucul, a behavior-based security analytics provider. She said that 100 million-plus number seems to indicate that it’s the entire T-Mobile list of customers, present and past. That makes the T-Mobile breach “one of the largest and most sophisticated attacks on record.”

Nayyar said this attack is unique because the attackers are offering to sell the most sensitive data back to T-Mobile.

“This makes it a type of ransomware attack, although it also involves data theft,” she said. “T-Mobile should be wary of doing this, as data [can] be copied and resold outside of any agreement reached. But it seems that hackers believe that a ransomware approach offers a more fruitful means to profit than selling account data on the open market.”

Backdoor Access Gained

Hank Schless is senior manager of security solutions at Lookout, an endpoint-to-cloud security company.

“Reports on this data breach indicate that the attacker was able to gain backdoor access to T-Mobile’s infrastructure in order to access…

Lookout’s Hank Schless

…and exfiltrate such a large amount of data,” he said. “An attacker usually creates a backdoor by either exploiting a vulnerability or using social engineering to convince an employee to install an infected file that opens up access. Once the attacker has that backdoor access, they can move laterally around the infrastructure to locate highly valuable data. From there, they can either exfiltrate it or encrypt it to kick off a ransomware attack. If the attacker is able to swipe employee credentials as part of their initial attack, then their chances of success are that much higher because they’re masked as a legitimate user.”

This incident highlights the importance of visibility and anomalous behavior detection, Schless said.

“As organizations expand their cloud footprint, enable remote access to on-premises infrastructure, and allow their employees to use personal mobile devices to access company data, they need to implement security and access policies across all of those resources,” he said. “Understanding exactly how your users, devices, files and services interact with each other is the best way to prevent incidents like this. A cloud security platform that can provide this level of visibility is key to any enterprise security strategy.”