A “sophisticated attack” at against T-Mobile’s email vendor gave an unauthorized third party access to some of the mobile provider’s employee email accounts that contained account information for T-Mobile customers and employees.
The information may have included customer names and addresses, phone numbers, account numbers, rate plans and features, and billing information, the T-Mobile said in a notification that also stressed financial information and Social Security numbers were not revealed.
“In an era when BEC attacks are proving to be a highly popular and effective attack method, these types of incidents are unfortunately far too common,” said Peter Goldstein, CTO and cofounder at Valimail. “T-Mobile’s breach is a clear example of how hackers can obtain a wealth of sensitive information just by compromising email accounts.”
The company, which claimed to have quickly identified and shut down the attack, told customers it was “not aware of any evidence where the information contained in the affected email accounts has been used to commit fraud or otherwise misused.”
That’s cold comfort, since customers and employees could suffer ramifications from such a breach for years. “Hackers can potentially trade this data for profit in dark web marketplaces” or perpetrate scams, said Goldstein.
Geoff Huang, internet security expert at Sift, pointed to another “ripple effect: cybercriminals can use that data to perform account takeover (ATO) attacks on other websites and platforms.”
Phishing campaigns most certainly will follow. “Leveraging the compromised data, the malicious actor could target customers with extremely convincing phishing emails that appear to come from the breached company in order to harvest more sensitive information from them,” said Goldstein.
But Ilia Kolochenko, founder and CEO of ImmuniWeb, cautioned against prematurely assessing the overall damage or speculating the eventual consequences of the T-Mobile breach since the circumstances remain obscure and the scope is clouded. While he gave the nod to T-Mobile's public response for being “adequately adapted to the nature of the breach, aimed at minimizing damage and protecting potential victims,” Kolochenko said, "This does not, however, shield T-Mobile from individual lawsuits and class actions from the victims, but will likely minimize any penalties that regulators may impose.”
The breach highlights the wide spectrum of critical risks stemming from third-party vendors and suppliers,” he said. “Worse, such incidents are infrequently discovered given their complexity and lack of visibility. Most organizations merely rely on vendor SAQ and paper questionnaires without ascertaining that security controls are properly put in place.”