Your browser is not supported. Please update it.

7 September 2021

T-Mobile USA security breach underscores insider attack threat

The reputational damage caused by T-Mobile USA’s recent major security breach continues to unfold as class actions are launched, and third party contractors using the operator’s network or services assess implications for their business. Impact on the operator’s stock price has been slight so far with a fall of around 5%, but it looks like a slow-burning case that will not go away soon.

For T-Mobile, it spoils what had been a good year so far, having reported strong Q2 results in July 2021 with 13% year-on-year revenue growth, and keeping at bay competition concerns over its acquisition of Sprint. The operator has now closed the gap considerably on Verizon to become a strong rather than distant third US MNO with 25% of the market by number of subscriptions. TMO has also won plaudits for its 5G roll-out after always playing catch up in the 4G era, harnessing in particular its swathe of midband spectrum in the 2.5 GHz and 3.7 GHz ranges.

But for now, that has all been swamped by the fall-out from the operator’s biggest breach to date by far, with the question being whether the damage will be lasting or just a short-lived storm, given that many other major corporations have also suffered significant attacks. The problem is that this attack has exposed what seems like lax security measures at odds with the operator’s message of care, amid boasts it will offer not just the fastest but best 5G service in the country.

Certainly, CEO Mike Siebert’s statement, two weeks after the attack, surfaced resembles closing the door after the house has bolted, after admitting that the period had been humbling for the company. The breach had been contained and the company’s investigation was substantially complete, he insisted.

His contrite tone returned as he continued: “Attacks like this are on the rise and bad actors work day-in and day-out to find new avenues to attack our systems and exploit them. We spend lots of time and effort to try to stay a step ahead of them, but we didn’t live up to the expectations we have for ourselves to protect our customers.”

Sievert continued: “Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry.” Magenta is a brand name for plans and services associated with TMO parent Deutsche Telekom, the US operator’s largest shareholder with a 43% stake.

The damage had already been done, especially reputationally. There was some doubt over exactly how much data had been exposed and for how many customers. TMO has indicated that 13.1m current postpaid customers had associated information illegally accessed, as well as data files with information on about 40.6m customers described as “former or prospective”. There was also information such as account PIN numbers breached for around 900,000 active prepaid customers, but that damage was more limited because these were temporary credentials that could just be changed, with no sustained issues.

Apart from the exposure of personal information, it is the nature of the breach and revelations from the US citizen who claimed responsibility, that have done most harm. Siebert himself admitted the attack was conducted by a former disgruntled insider exploiting knowledge of the systems to access testing platforms that should have been capable of resisting such attacks. “The bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data,” said Siebert. “In short, this individual’s intent was to break in and steal data, and they succeeded.”

The individual alleged to have conducted the attacks is John Binns, a 21-year-old US citizen now living in Turkey, who has claimed responsibility and presented evidence backing that assertion to the Wall Street Journal, which is currently being assessed. The story then becomes murky and rather unseemly, as Binns has claimed he was retaliating for his treatment by US law enforcement agencies over alleged involvement in a malicious botnet, claiming he was tortured and that he was filing a claim against the Department of Justice, FBI and CIA.

TMO has not commented on any such specifics but its admission that this was a brute force attack is revealing in itself. Brute force attacks harness computational power with increasing sophistication, but the principle remains the same, to make multiple attempts at guessing certain credentials, like running through the options of a combination lock.

For example, hybrid brute force attacks start with a predetermined list of passwords, similar to the technique known as the dictionary attack where commonly-used words and their variants are tried in quick succession, combined with logic to determine which option is most likely to succeed. This has been extended further with the reverse brute force attack, which starts with a common set of passwords and tests them repeatedly against multiple user accounts. In this case it is the user’s name that is subject to the brute force, rather than the password, hence being called reverse.

This form has evolved for targeting specific networks with some success, with more sophisticated versions having emerged in recent years, such as reverse engineering coded or hashed functions representing passwords.

There have been a number of successful high profile brute attacks over the past decade, but not most recently, the last recorded major breaches including an attack on the Northern Ireland parliament in 2018, allowing hackers to access email accounts of several members.

Brute force attacks remain popular because of their relative simplicity to carry out given access to adequate compute power, but targets have tended to become lower level. There has been a boom in their use against remote desktop protocols during the Covid-19 pandemic, spurred by the proliferation in home working.

Defences against brute force attacks are well known and simple to state, being primarily use of stronger passwords and additional multi-factor authentication security including smart tokens, smartphones and biometrics, or limiting numbers of times given credentials can be used. In practice such measures have had varying success but have helped constrain brute force attacks.

The other element is the insider factor, which has dogged the cybersecurity field from the outset, because it can enable technical defences to be breached.  Insiders may have intimate knowledge of weaknesses, or knowhow to exploit the higher levels of privilege that some administrators need to carry out their roles. It is possible to counter insider attacks successfully in highly secure military environments through rigorous revocations of credentials and enforcement of protocols restricting individuals from accessing critical systems or data on their own. But these measures tend to fall down in real commercial environments.

So given that cybersecurity will always be an arms race, TMO could claim that occasional major breaches will always occur. However, it does seem that available practical defences were not employed. The mantra here is defence in depth, which accepts that perimeter defences will occasionally be breached and so relies on perpetual surveillance inside to obtain early warning of unfolding attacks. Then critical systems can be shut down quickly, and damage minimized. Brute force attacks should reveal themselves quickly since they elicit unusual patterns of activity that hackers can disguise to some extent but not avoid entirely.

Because this latest attack was not thwarted in time, damage has been done, reflected in filing of two class action lawsuits against TMO over the incident in the last days of August. One was filed by Morgan & Morgan, Terrell Marshall Law Group, Arnold Law Firm, Mason Lietz & Klinger, and The Consumer Protection Firm in the Western District of Washington, with Stephanie Espanoza, Jonathan Morales and Alex Pygin named as lead plaintiffs.

This lawsuit alleges that T-Mobile “maintained private information in a reckless manner”, exposing customers to elevated fraud and identity theft risk. Whatever the outcome of these lawsuits, TMO may still be considered guilty of general incompetence, even if not of specific reckless negligence.

The case also has legal ramifications for some contractors and third party suppliers that use the TMO network, since the breach may have indirectly exposed sensitive data on their own customers.