Not all data breaches are created equal. None of them are good, but they do come in varying degrees of bad. A T-Mobile breach that hackers claim involved the data of 100 million people deserves your attention. Someone on the dark web claims to have obtained the data of 100 million from T-Mobile’s servers and is selling a portion of it on an underground forum for 6 bitcoin, about $280,000. The trove includes not only names, phone numbers, and physical addresses but also more sensitive data like social security numbers, driver’s license information, and unique identifiers tied to each mobile device. The samples of the data contained accurate information on T-Mobile customers.
A lot of that information is already widely available even the social security numbers which can be found on any number of public records sites. There’s also the reality that most people’s data leaked at some point or another. But the apparent T-Mobile breach offers potential buyers a blend of data that could be used to great effect and not in ways you might automatically assume.
Streamline The Process :
This is ripe for using the phone numbers and names to send out SMS-based phishing messages that are crafted in a way that’s a little bit more believable, says the director of threat intelligence at email security company Abnormal Security. Yes, names and phone numbers are relatively easy to find. But a database that ties those two together, along with identifying someone’s carrier and fixed address, makes it much easier to convince someone to click on a link that advertises or upgrades for T-Mobile customers.
The same is true for identity theft. Again, a lot of the T-Mobile data is out there already in various forms across various breaches. But having it centralized streamlines the process for criminals or for someone with a grudge, or a specific high-value victim in mind, team lead at risk intelligence firm Flashpoint.
And while names and addresses may be fairly common grist at this point, International Mobile Equipment Identity numbers are not. Because each IMEI number is tied to a specific customer’s phone, knowing it could help in a so-called SIM-swap attack. This could lead to account takeover concerns, since threat actors could gain access to two-factor authentication or one-time passwords tied to other accounts such as email, banking, or any other account employing advanced authentication security features using a victim’s phone number. That’s not a hypothetical concern; SIM-swap attacks have run rampant over the past several years, and a previous breach, which T-Mobile disclosed, was used specifically to execute them.
Investigating a Data Breach :
T-Mobile confirmed that a breach had occurred but not whether customer data had been compromised. We have been working around the clock to investigate claims being made that T-Mobile data may have been illegally accessed, it is said in an emailed statement. We have determined that unauthorized access to some T-Mobile data occurred, however we have not yet determined that there is any personal customer data involved. We are confident that the entry point used to gain access has been closed, and we are continuing our deep technical review of the situation across our systems to identify the nature of any data that was illegally accessed.
In the meantime, you have a few admittedly limited steps you can take, or at least limit the potential fallout if all that data did get stolen. Change your T-Mobile password and security PIN. Companies that have leaked social security numbers and other especially sensitive information have in the past offered free credit monitoring to victims, so keep an eye on communications from T-Mobile to see if it offers the same. As for, there’s not much you can do against a determined attacker, but a good first step is to start using instead of having codes sent to you by text message.
After so many data breaches in recent years, it’s easy to let them drift by without paying much mind. And it’s true, to a certain extent, that most of the data you care about is available to hackers. If anyone is doing some identity theft, most of the information is already out there in one of the dozens of other data breaches that have happened previously.
But it’s still important to focus on the big ones, both to know your specific risks and to hold companies accountable for their lapses. So far, shrugging it off hasn’t worked; if the data’s legitimate, this would be T-Mobile’s sixth known breach in four years.