T-Mobile has announced a massive breach of customer data every year like clockwork since 2018 (sometimes twice in a year) and early in 2023 the telecommunications company was not one to buck corporate tradition — saying a hacker had stolen the day of 37 million customers in the latest incident for the company.
The “bad actor” used a single API to pull data including details like name, address, data of birth, account number from a customer database, T-Mobile said — with the incident coming just six months after it agreed to pay $500 million to settle a class action lawsuit launched after a 2021 data breach that included the commitment that it would spend a further $150 million on “data security and related technology” in 2022 and 2023.
In the wake of a 2021 data breach T-Mobile entered into long-term partnerships with Mandiant, and KPMG, saying “we know we need additional expertise to take our cybersecurity efforts to the next level, and we’ve brought in the help” — CEO Mike Sievert adding that Mandiant will “support us as we develop an immediate and longer-term strategic plan to mitigate and stabilize cybersecurity risks” while KPMG will “perform a thorough review of all T-Mobile security policies and performance measurement… focus on controls to identify gaps.”
T-Mobile hack 2023: Company downplays impact
T-Mobile said this week: “We understand that an incident like this has an impact on our customers and regret that this occurred. While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.”
The company played down the breach, saying “some basic customer information (nearly all of which is the type widely available in marketing databases or directories) was obtained” and that unlike in a 2022 T-Mobile incident there was “no evidence that the bad actor breached or compromised T-Mobile’s network or systems.”
In April 2022 a group of largely teenage hackers breached T-Mobile and downloaded over 30,000 source code repositories (even gaining access to Atlas, an internal T-Mobile tool for managing customer accounts) according to a new eye-popping report by independent investigative journalist Brian Krebs, who was leaked internal Telegram group messages from the LAPSUS$ group by a disgruntled former associate. T-Mobile admitted the breach.
“The messages reveal that each time LAPSUS$ was cut off from a T-Mobile employee’s account, either because the employee tried to log in or change their password, they would just find or buy another set of T-Mobile VPN credentials” Krebs wrote. The hackers later lost all the stolen T-Mobile source code after storing it in an AWS server that was seized by the FBI — and failing to back-up the data (“RIP FBI seized my server” one member writes on Telegram in messages shared with Krebs in his report this weekend: “It’s filled with illegal shit.”)
Attempts to re-download it from T-Mobile failed, the leaked chats showed after the access token they used was revoked. The ringleader shrugged it off: “Cloning 30k repos four times in 24 hours isn’t very normal.”
T-Mobile in the wake of that incident said: “Our monitoring tools detected a bad actor using stolen credentials to access internal systems that house operational tools software. The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value… Our systems and processes worked as designed, the intrusion was rapidly shut down and closed off, and the compromised credentials used were rendered obsolete.”