Around August 14, 2021, news started to trickle out that T-Mobile, the second largest wireless carrier in the USA, had suffered a data breach. Over the next two weeks a number of startling data points about the scope and scale of the breach would emerge, including:
- Somewhere around 10 million of T-Mobile’s 100-plus million customer base had numerous items of personally identifiable information stolen, including names, dates of birth, SSNs, driver’s license numbers, phone numbers and IMEI and IMSI information about their T-Mobile cellphones
- Similar PII items for 40 million or so prospective or former T-mobile customers was likewise stolen
- Ditto for 5 million “current postpaid customer accounts”, 850K pre-paid T-Mobile customers, and 52K customers with Metro by T-Mobile accounts (this latter category did not include SSN, DOB, or driver’s license data)
In a shocking interview on August 27, 2021 for the Wall Street Journal, a 21-year-old American named John Binns who currently lives in Turrkey identified himself as the primary mover behind this data breach. HIs summary of his exploit is stark and scary. The WSJ story headline quotes him as saying “Their security is awful.” In total, personal details on over 50 million individuals were stolen.
The Mechanics of the Breach
Mr. Binns told the WSJ he made his way into the T-Mobile IT infrastructure by scanning their public networks and finding an unprotected router in July. He had been performing routine reconnaissance of their networks, and gained access to a data center in western Washington state. The breach was originally uncovered in mid-August when a US company found its account information for sale on the Dark Web, and various reports indicate that the entire trove of records was up for sale for 6 bitcoin (worth over US$275K as this story is written).
In follow-up interviews with Motherboard and Bleeping Computer Mr.Binns disclosed further details of his attack. To Bleeping Computer (a well-known, UK-based computer security news and information site) he said he obtained ingress into T-mobile’s systems and networks through its “production, staging and development servers.” To Motherboard, he asserted that he grabbed PII from the T-Mobile servers before the company was able to eject him from inside their security perimeter. Before that happened, he obtained copies of PII for over 50 million current, former and prospective T-mobile customers. Bleeping Computer reported that Binns said that he hacked into an Oracle database that contained data for “approximately 100 million T-Mobile customers.”
Lesson Worth Learning From This Exploit
Access to T-Mobile’s networks and servers proved to offer access to information well beyond most hackers’ expectations. Mr. Binns expressed himself surprised by finding himself able to explore “more than 100 of the company’s servers” (source: ZDNet). Obviously, one important takeaway from this exploit is the importance of hiring — and acting upon — Red Team exercises, wherein trained penetration experts try all of their tricks and wiles to break into company networks and assets, then report on their findings away from public scrutiny (and possible data breaches). It’s far better to have paid experts find unauthorized ingress points, and then close them, before external attackers can find and exploit them, as was the case with this T-Mobile breach.
Another surprising outcome was disclosure of PII from former customers, some from as far back as 2004, as well as from prospective customers. The WSJ story quotes Glenn Gerstell, as former general counsel for the NSA, as saying that T-Mobile did not implement “good data management practices.” Certainly, it makes sense to purge old customer records when records age past applicable record retention laws or licensure regulation retention requirements. This seldom exceeds 7 years in any jurisdiction, and often expires in 3 years. Thus, theft of records dating back to 2004 in 2021 shows a long-overdue age-out and purge should have happened a decade ago — or longer — for the oldest records involved.
The principle of least privilege (PLP) is one that security and networking professionals understand quite well. Mr. Binns ability to access production, staging and development servers speaks to overly permissive access controls wide open to those with network access. T-Mobile might have been less open to attack had its data center been subject to a rigorous application of PLP principles and practices, long considered a cornerstone of cybersecurity.
Then, too, data protection tools and technology could have played a vital role in protecting T-Mobile from unauthorized access to — and exfiltration of — its customer data. A properly implemented set of data protection tools would have noticed out-of-the-ordinary access attempts into its databases and reported them immediately to security staff. Likewise, such tools would block data from crossing the network boundary without presenting additional credentials or proofs of identity and demonstrating a valid need for that data to be exported (and then only in authorized, encrypted formats).
The company has acknowledged its responsibility for the breach, and has engaged cybersecurity firm Mandiant and consulting firm KPMG to conduct a thorough and complete investigation. T-Mobile has set up web page to report on its activities and progress in dealing with the aftermath. CEO MIke Sievert also blogged on this event on August 27, in which he acknowledged that the company “failed to prevent this exposure…” He continues that they plan “to take our security efforts to the next level as we work to rebuild trust” as he disclosed what the company has learned about the incident. To start remediation, T-Mobile is offering:
- Two years of free identity protection services through McAfee ID Theft Protection Services “to any person who believes they might be affected”
- Recommending that “eligible T-Mobile customers sign up for free scam-blocking protection through Scam Shield”
- Supporting customers “with additional best security practices and practical security steps like resetting PINs and passwords”
- Providing a customer support web page for easy access to the afore-mentioned tools and services.
This remains an investigation-in-progress whose scope and scale have yet to be completely determined. For companies and organizations outside this merciless spotlight, it’s a reminder that implementing and enforcing best security practices is far less expensive and damaging than having to cure such a breach after the fact.