T-Mobile hack is a return to the roots of cybercrime
In the world of cybercrime, ransomware attacks might be the sophisticated bank heists. The hack of T-Mobile is more akin to smashing a window, grabbing merchandise, and running.
The attack that exposed the personal information of millions of T-Mobile customers spotlights a common type of cyber threat that can inflict significant damage to consumers, much like the recent rash of ransomware attacks hitting companies.
The breach exposed the data of more than 40 million people, T-Mobile confirmed Wednesday, including customer's full names and driver's license information. A hacker posted about the stolen information on a cybercrime forum late last week, offering to sell the information to buyers for the price of six bitcoin, or about $270,000.
This type of attack, in which hackers worm their way into companies' systems, steal data and try to sell it online, has been a common tactic for years, cybersecurity experts say. Unlike the high-profile ransomware attacks that have disrupted fuel supplies, hospital systems and food production in recent months, these data exfiltration hacks do not lock down computer systems.
Instead, hackers quickly locate and steal information that they know they will likely be able to sell online, sometimes to multiple interested buyers.
"The motivation obviously is money," Brett Callow, a threat analyst at Emsisoft, said of such data exfiltration hacks.
Cyberattacks motivated by financial windfalls have hit companies across all industries during the pandemic, especially as hackers executing ransomware attacks banded together. The T-Mobile attack shows that other kinds of cyber threats are still wreaking havoc on company security and threatening people's digital privacy.
Motherboard first reported on the hack this weekend, and T-Mobile confirmed it had suffered a breach a day later. But the cell carrier didn't release more details of the attack until Wednesday, when it confirmed personal customer information had been stolen.
It's at least the fifth breach that T-Mobile has suffered in the past four years, said Forrester security and risk analyst Allie Mellen.
"It's something that should make their customers consider whether it’s actually worth working with T-Mobile," she said.
T-Mobile declined to comment outside its news release confirming the hack. In a public statement Wednesday, the company said it would offer two years of identity protection services to affected customers.
It's difficult for cybersecurity analysts to determine from the outside why T-Mobile keeps getting breached. Cyberattacks have become common across all industries, and pretty much no company is immune from their reach.
Still, Mellen said, T-Mobile seems to get hit at a rate more frequent than usual. Part of the reason could be its activity of mergers and acquisitions, including its merger with Sprint last year, she said. When two companies' systems are combined, it can be challenging to make sure they both have the same security standards.
"There needs to be deeper transparency around what went wrong and why," she said. "They need to build up policies to make sure this doesn't happen in the future."
There could be another reason T-Mobile is being targeted — it has the type of information that cybercriminals know they can sell.
"If you're a cyber criminal, you try to go where there are large pools of customer data available," said Michael Daniel, president and CEO of the Cyber Threat Alliance.
Security researchers note it's possible that some hackers favor these kinds of data exfiltration hacks to ransomware attacks because it could attract less law enforcement attention. Ransomware attacks on the other hand might be the easier way to bring in a big payday — in these attacks, hackers use software that lock victims' computer systems, and demand a ransom to hand over a "key" that will unlock their files.
But ransomware attacks can cause immediate and widespread damage to companies and their customers, drawing global attention. In the case of the Colonial Pipeline attack in May, people were forced to wait in long lines at gas stations, and some pumps ran out of fuel in the face of panic-buying.
Ransomware attacks often present a double-whammy for victims: first, the hackers will demand payment to unlock their files. Then, hackers will request a second ransom to prevent them from leaking stolen information.
The T-Mobile attack and others like it eliminate the step where hackers try to get companies to pay up.
"This is skipping the extortion bit and go straight to selling," said Rick Holland, chief information security officer for cyberthreat software company Digital Shadows. "It's all about the Benjamins."
It also means consumers' information could be exposed no matter if victim companies are willing to pay or not.
In the case of the T-Mobile attack, the alleged hacker said they had different motivations. In a screenshot of a text conversation posted online by Alon Gal, co-founder of cybercrime firm Hudson Rock, the hacker appears to tell Gal that the attack was done "to harm US infrastructure."
On Monday, the hackers appeared to drop the price of the information dramatically, from about $270,000 to just $200.