T-Mobile recently announced a security breach affecting its employees and customers. According to the company’s data breach notification published on the company’s website, the breach occurred due to an attack” against its email vendor. The hacker(s) were able to access some T-Mobile employee email accounts, which contained T-Mobile account information belonging to various customers and employees, such as:
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
In light of the obscure circumstances and clouded scope of the reported breach, it would be premature to assess the overall damage or speculate about the eventual consequences. For the time being, T-Mobile\’s public response seems to be adequately adapted to the nature of the breach, aimed at minimizing damage and protecting potential victims.
This does not, however, shield T-Mobile from individual lawsuits and class actions from the victims, but will likely minimize any penalties that regulators may impose. The victims will likely have to prove negligence or another relatively complicated legal basis to successfully sue, and most importantly, will have to establish their damages or seek an applicable statute that may quantify compensation.
This security incident highlights the wide spectrum of critical risks stemming from third-party vendors and suppliers. Worse, such incidents are infrequently discovered given their complexity and lack of visibility. Most organizations merely rely on vendor SAQ and paper questionnaires without ascertaining that security controls are properly put in place. Obviously, this omnipresent practice is largely dictated be economic practicality, however, another solution, that would balance the financial burden and risk mitigation, is urgently required.
When organizations consider outsourcing or SaaS’ing traditional enterprise IT services, like email, special considerations need to be made for threat monitoring. Not only must the outsourced service or technology integrate with your existing logging and monitoring initiatives, but you may need to consider a new set of attack vectors to monitor for. In the case of outsourcing email to a SaaS provider, adding a layer of user behaviour analytics to detect brute force attacks, authentications from unusual geographies, and simultaneous authentications from different geographies will address some of the new threats you might experience in the transition.
Lastly, in the event you must outsource the storage or transport extremely sensitive data, additional measures for access control (like network ACLs, VPNs, multi-factor authentication) and data encryption can help mitigate any breaches that may occur.
In an era when BEC attacks are proving to be a highly popular and effective attack method, these types of incidents are unfortunately far too common. T-Mobile’s breach is a clear example of how hackers can obtain a wealth of sensitive information just by compromising email accounts. With access to a plethora of personal data on past and current customers and employees, hackers can potentially trade this data for profit in dark web marketplaces, or use it to commit account takeover, identity theft, or other scams.
In fact, phishing campaigns often follow hot on the heels of breaches like this. Leveraging the compromised data, the malicious actor could target customers with extremely convincing phishing emails that appear to come from the breached company in order to harvest more sensitive information from them. As phish become increasingly hard to identify, sender identity-based email security solutions are a powerful defense that can help thwart these attacks at their source.