T-Mobile Was Hacked, Heres How it Impacts Everyone
By Josh More, Chief Information Security Officer, CDI
You saw the headlines. T-Mobile was breached.
Now, it’s Time to Talk about Aggregation, Automation, and Life in the Time of COVID
The week started out like many others. We were asked to draft an opinion about the T-Mobile breach and tell people what they needed to do to protect themselves. We expected to re-write the same post that everyone seems to come out with after an event like this. You know the script:
- Explain what happened, who had the data and how it was stolen
- Discuss the data a little bit, give a number of records, discuss the type of data taken
- Do a bit of market analysis foretelling a dark future for the company and/or their customers
- Recommend that people get credit protection services or freeze their credit
We’ve seen this play out again and again over the years. Heck, according to IT Governance, there have been 815 attacks involving almost four billion records in 2021 alone.
So what makes this one different?
At one level, the answer is “not a lot.” Sure, there are more records involved than usual (7.8 million). Sure, the data involves a lot of personal elements (SSN, driver’s license, etc.) and a few unusual ones (IMEI and IMSI numbers, PIN codes). So yes, it’s a “big” story that a lot of people are reporting on – but come on, we’ve seen this before.
And that’s the problem, we have seen this before. We’ve seen breaches of the IRS, First American, Marriott, Exactis, Capital One, CheckPeople, Anthem, LinkedIn, the US Census, some whose source is unknown, and others that are new and currently unverified.
Adding just the larger breaches to the known T-Mobile breach, we see this:
So, why does a data breach of a “mere” 53 million records change the world we live in, after we’ve already had breaches so much larger than that? It is because of which data is involved in the breach and how that data enhances that from other breaches – in other words, “aggregation.”
Suppose an attacker wanted to get access to some loan money by impersonating someone. Well, to do that, they’d need to pick people who had good credit, identify where they have their accounts, and provide information to “prove” identity. It is unlikely that a single attacker has access to all of these data sources, and there is no guarantee that any particular target is listed in all of the data sets that the attacker does have.
However, there are two critical things to keep in mind:
- There are a lot of data breaches that we do not know about
- There are only about 210 million adults in the United States
We do know that the breach involved not only people who were active T-Mobile customers, but also former customers from as far back as the 1990’s, and prospective customers… so it’s a large data set, covering many people.
More critically, while we do not know how many of the 53 million records in the T-Mobile breach were from US citizens, but even if we assume only 80% of them were in the US, this data set can be used to “fill in the holes” for around 20% of the US adult population.
In other words, for every five adults you know, due to this breach, one of them is at risk that may not have been at risk before.
This is how modern data attacks work.
An attack group gets an idea on what to do – usually seeded by a new data breach or a change in public/corporate policy. Then they look through the other data sets they have and fold records together to get a likely set of people to target. This means that with each new breach, attackers can purchase the data from others, combine it with what they have and then not only launch something brand new but they can also improve their internal data sets and re-run the attacks they’ve already set up and polished.
It may be helpful to think of this in game terms, with each new breach “unlocking” new potential capabilities and “leveling up” the attacker’s previous capabilities. So if a data breach aligns to a specific target set (like cell phone data aligns to a large number of working adults with credit to abuse), it can greatly enhance the value of an attacker’s combined data set. That’s why aggregation can make things so much worse.
Okay, that’s bad, but is it bad enough to claim that this is the turning point? Not alone, no… but it’s not alone.
Consider the 2016 IRS data breach of “only” 700,000 records. Ever since 2016, we have a massive increase in tax return fraud. You can see it clearly in the archived history of the IRS’s Taxpayer Guide to Identity Theft.
This data suggests (and it is generally believed to be true in the industry) that that data breach opened a new theft possibility and attackers were rewarded for creating automated tooling to facilitate the process of filing fake change of address/bank forms with the IRS and then filing a fake return request ahead of the filing of the real return, so the tax return monies were stolen before they could be sent to the legitimate recipient.
Now consider unemployment fraud. With this attack, the attackers contact the victim’s company and ask for unemployment benefits in the hopes that it would be approved prior to the HR process verifying that the request was legitimate. To see how popular this attack was, check the Google Trends graph.
Take note that the initial rise from March 21, 2020 to April 5, 2020 was followed by a massive rise from April 19, 2020 to May 17, 2020. This trend perfectly matches a manual attack followed by an automated attack. In other words, it took the attackers less than a month to:
- Realize that there was free money sitting in the COVID unemployment program
- Do some manual testing with data on hand to vet the attack opportunity – verifying that companies were doing blanket approvals in the shutdown-related panic
- Launch the attack at scale, pulling in as much fraud as possible before the attack window closed
We saw a similar pattern with the Microsoft Exchange “Hafnium attack”, where the issue was discovered in December of 2020 and started being lightly exploited in January of 2021.
- Patches were released on March 2
- By March 11, ransom-focused attackers specifically targeting the vulnerability, with around 700 attacks
- On March 15, there were over 7,200 compromised servers… a ten-fold increase over four days
This pattern illustrates how good attackers have gotten with their automation, how quickly they can recognize opportunities and attack at scale.
Platforms and Supply Chains
As noted earlier, both the Capital One and Microsoft issues in the list were due, not to direct attack, but to discovered misconfiguration. The number of people who understand how to securely use modern cloud services is significantly smaller than the number of people who are actually using them – a pattern we saw in the early days of containers, virtualization, Linux, etc. You name the technology, and you can point to a time early in the adoption curve when the usage growth rate outpaced the growth rate in the techniques that could be used to secure the technology. Today, we’re at that point with every mainstream cloud platform, making systems built on Microsoft Azure, Microsoft 365 tooling, Amazon AWS, Google Cloud, and Oracle Cloud Infrastructure prime targets.
A similar pattern is evolving around internal supply chains, with well-known issues involving SolarWinds, MimeCast, Kaseya, and others. If an attacker succeeds in compromising a supplier, they can get hundreds to thousands of businesses in a single attack – with each business holding millions of records.
Much as how automation multiplies an attacker’s capabilities through time, platform and supply chain attacks multiply an attacker’s capabilities through scope. In other words, when (not if) an attacker succeeds in bringing their automation capabilities to the platform and supply chain world, truly astounding numbers of records would be involved.
* Kaseya provides software to managed service providers, which provides another multiplicative layer of analysis.
Now, clearly a record count greatly exceeding the number of people on the planet gets ridiculous, and much of the stolen data would be duplicative within the total record count – as the platform’s users would have customers in common between them. However, it is critical to understand the potential of automated data exfiltration when applied to platforms and supply chains.
Access and Targeting
There is one more set of factors that turns the current situation into a perfect storm – the unevenly distributed COVID-driven world-wide recession and the international perception of the United States.
It is well known that attacker groups operate out of countries with lax laws on cyber-attacks. Many of these regions correlate with extremely low cost of living, allowing attackers to gather economic benefit from the extremely low cost of attack, extremely low likelihood of being caught (and minimal ramifications if they are caught), and extremely high return of any successful attack. After all if you steal $1,000 from Minneapolis, that’s worth the equivalent of $2,000 in Kyiv, $1,000 in New York, is like $3,500 in Brasov, and $1,000 stolen San Francisco nets you nearly $4,500 in Tol’yatti.
While global income disparity has always been a driving force behind attacks like this, the COVID pandemic has driven widened the gap. The remote work advances driven by the same pandemic has allowed unprecedented access to those attacking infrastructure and companies. In other words, we are now at a point where those who live in countries with thriving economies are more vulnerable than ever to attacks from those countries who may not be faring as well.
What does this all mean?
When you combine all these factors with the fact that consumer-level economic access is restricted by knowledge of the very elements that are present in data breaches, the 13 trillion dollar US consumer economy is a very tempting target to a large number of attackers who have never been so powerful.
In short, we are all living in a world in which, as a US citizen, it is easier than ever to gather the data needed to:
- Identify moderate net worth individuals… middle class people with more means that those outside of the US, but not rich enough to have implemented the financial protections available to the truly rich
- From multiple, affordable data sources, aggregate the information on those individuals needed to impersonate them when working with financial institutions
- Develop automation to identify and profile these individuals at high scale and high speed
- Target platforms and supply chains to multiply the scope of successful attacks
- Leverage the robust API-driven systems developed to allow “work from anywhere” and easy money movement as needed during pandemic operations
- Launch attacks and redirect manual attack responses where needed to low cost English-speaking resources in jurisdictions in which prosecution is not only hard, but practically never heard of
- Funnel as much money out of the United States, as quickly as possible, pivoting and adapting steps #2 and #3 as more data becomes available through constant data breaches
In short, it’s not about T-Mobile anymore. It’s about adversarial capabilities and our cultural complacency.
Okay, so what we can do?
The bad news is that, as individuals, there’s not a lot we can do. The global political and economic forces are what they are and we simply do not operate at a level where we can do much about it. However, there are six things we can do to protect ourselves while the powers that be (hopefully) find a way to address parts of the situation. Moreover, five of those things are the same – freeze your credit reports.
Yes, this is not new advice, but the last thing is where it matters. It is time to change your mindset. It is no longer “you might become a victim of identity theft”, it is now “there are a large number of people who are being incentivized to target you, how can you protect yourself?” In other words, it’s not “I’ll freeze my reports when I have time”, it’s “if I don’t freeze them today, I may be attacked tonight and have a much harder problem to deal with tomorrow”.
This is when all of our standard security advice changes.
Change your banking password to a different one from Facebook. Not when you get around to it, stop what you’re doing and take the five minutes to do it right now. No, really, right now. I’ll wait. Go do that.
The same thing goes with selecting a banking PIN that is different from your birthday (Equifax breach), with closing that unused savings account (First American breach), transferring and closing out that old 401k (Capital One). Do it now.
For addressing the more general problem, it’s time to freeze everything. Do it here:
It is time stop thinking that this is a maybe/future problem. You are being attacked right now, this very moment, by automated technology that already has all of your data. Defend yourself by locking down what you can, changing what you can, and living the rest of your life knowing that this is not going to change.
The internet is not going away. You will be online for the rest of your life. It is time to make your information security practices as basic keeping the sharp edge of a knife away from your body, tying your shoes before you go running, and buckling up as soon as you get in the car.
There’s no more time to wait.