Two of the biggest wireless carriers in the US have been breached, resulting in millions of records of customer information being stolen and sold on the dark web.
On August 16th, T-Mobile was hacked, and malicious actors got away with anywhere from 50 to 100 million records containing personal information like phone numbers, addresses, SSN’s, potential billing information, etc.
Allegedly, late this week, AT&T was also victim of a similar breach, exposing around 70 million records – at the time of this publication, AT&T had not confirmed this.
While these breaches may not directly impact an organization, the personal data obtained can be leveraged as a very effective social engineering tool. Malicious actors could use the data to easily impersonate someone (sending a text with your name/phone number) and to authenticate themselves by providing accurate personal information. Besides the latent threat of identity theft, the repercussions of how this data could be misused could be disastrous on both a personal and a corporate level.
At this point it’s not well known how the breaches took place, since forensic information has not been disclosed. It’s believed that malicious actors gained access by breaching associated vendors of the carrier companies, giving them access to multiple servers inside T-Mobile and AT&T’s networks, with more than enough time to download massive amounts of data.
INDICATORS OF COMPROMISE
Unknown at this point – if you are a client of either carrier, there’s a high likelihood that your data has been exposed.
At this point, T-Mobile is offering free identity theft protection; it will provide customers with two-year protection through McAfee.
It's also highly recommened that you:
- Log in to your carrier's website, change you PIN and password, and add MFA (Multi-Factor Authentication) if available.
- Place a freeze on your credit by calling one of the credit bureaus.
- Make friends, family, and colleagues aware of the breach to help create general awareness.
- Stephen Jones, Senior Director Cybersecurity
- Maximo Bredfeldt, vCISO