Anatomy of an Attack: T-Mobile Hack Takeaways

As far as digital heists go, last week’s T-Mobile hack was about as complicated as a convenience store smash-and-grab, albeit one that exposed the personal data of 40 million-plus customers. In lieu of any ransom schemes, the stolen records of 30 million of those consumers quickly wound up for sale with a reported initial asking price (in bitcoin, naturally) of roughly $270,000.


Despite the brash nature of the attack and the damage it potentially inflicts on tens of millions of consumers, there’s a real risk that this T-Mobile breach will soon fade from headlines and the attention spans of consumers and business leaders. Third party risk management (TPRM) professionals and their counterparts cannot afford to make the same mistake. The brazen cyber-attack is noteworthy for several reasons of interest to TPRM teams, including:


    • IMEI’s inclusion: An International Mobile Station Equipment Identity (IMEI) number is uniquely and directly linked to each device on a mobile network. “What stands out to me about this attack is the inclusion of the IMEI as a data element,” notes Shared Assessments Vice President Ron Bradley. “Dial *#06# to see yours, take a picture, and store it in a safe spot.” IMEI information is used to track and configure your cell phone phones, and it also can be used to remotely disable any phone. “If your credit card is compromised, the card issuer can simply disable or delete the card and send you a new one.” Bradley continues. “That’s an impossibility for mobile devices. Currently, there is no evidence of large-scale denial-of-service type attacks against IMEI numbers, but if it were to become a targeted strategy, you can imagine the havoc it could wreak. Even disabling a small number of high-value devices – think of those owned by public officials, healthcare workers, business executives, etc. – would have an adverse effect.”


    • Spearfishing ammunition: The personal information that was stolen in this attack equips hackers with a trove of fresh ammunition to conduct follow-up scams via emails and other forms of electronic communications. “Being armed with millions of T-Mobile customer records allows hackers to spear-phish individuals more convincingly and perpetuate the problem,” Bradley notes. Spear-phishing emails often deploy clever tactics to entice recipients to click on malicious links that can leave personal and business systems vulnerable to additional breaches, information theft and fraud.


    • Comfortably numb? Within a few days, the black-market price for those 30 million stolen records plummeted to $200 (according to Vice, a digital media outlet, as reported by the more-traditional news outlet Reuters). Consumer outrage, concern and personal cybersecurity defenses also could recede quickly, primarily because the sheer volume of massive cybersecurity breaches (Colonial Pipeline, SolarWinds, WannaCry, etc.) is overwhelming. “Data privacy as we have traditionally come to expect is a thing of the past,” Bradley says. “My concern is, as the frequency and scale of these attacks continue to increase, people tend to get jaded by the news of them.”


    • Vigilance required: While a jaded perspective is understandable given how much personal data has been pilfered in recent years, it shouldn’t lessen our cyber-hygiene vigilance. “It’s incumbent upon us as consumers of technology services to adopt a ‘defense-in-depth’ posture,” Bradley asserts. “By that I mean, freezing your credit, being vigilant about checking your credit card and bank statements, using password managers with pass phrases vs. passwords, and being cautious about what you share on social media.”



Similar vigilance is required by businesses. “A cloud of secrecy and shame surrounding cyber-attacks amplifies the difficulties,” notes a recent Economist editorial. “Firms cover them up. The normal incentives for them and their counterparties to mitigate risks do not work well. Many firms neglect the basics, such as two-step authentication.” The Economist argues that standards requiring more detailed cybersecurity-related disclosure for all companies would enable investors, insurers and outsourcers to better identify firms that are underinvesting in security – and respond accordingly: “Faced with higher insurance premiums, a flagging stock price and the risk of litigation, managers might raise their game. Manufacturers would have more reason to set and abide by product standards for connected gizmos that help stem the tide of insecure IoT devices.”


Internet of Things security represent a major third party risk as well as a rising strategic risk. If cyberattacks become too costly or disruptive, businesses and consumers may shy away from using new and emerging technologies, which would limit the benefits those breakthroughs deliver to investors and society (think of the medical benefits of healthcare IoT applications or the environmental benefits of connected and electric vehicles).


After learning of the attack, savvy T-Mobile customers immediately changed their password, signed up for the free identify theft protection services the carrier offered, and activated T-Mobile’s account takeover protection mechanism. The cyber-savviest consumers had already enacted credit freezes and defenses against SIM card swaps as defense measures.


The T-Mobile cyberattack is yet another reminder that TPRM professionals also need to sustain, and continually improve and adjust, their own cybersecurity practices.