News: 1727733557

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

T-Mobile US to cough up $31.5M after that long string of security SNAFUs

(2024/09/30)


T-Mobile US has agreed to fork out $31.5 million to improve its cybersecurity and pay a fine after a string of network intrusions affected millions of customers between 2021 and 2023.

Specifically, the telco has entered a legal settlement

[1]PDF

with the FCC today that requires the carrier to pay a $15.75 million civil penalty to the US Treasury, and also spend $15.75 million over the next two years on its infosec program, including:

Designating a chief information security officer who will report regularly to the board of directors.

Building a zero-trust security framework and segmenting its network.

Implementing phishing-resistant multi-factor authentication across its networks and systems.

Adopting data minimization, inventory, and disposal processes to limit the amount of customer information it collects and retains.

Identifying and monitoring critical assets on its network.

Conducting independent third-party assessments of its information security practices.

The settlement was reached after the FCC formally accused T-Mo of breaking its obligations under the Communications Act of 1934, which require carriers to do such outlandish things as protecting customers' information from theft and having in place reasonable cybersecurity defenses.

"Implementing these practices will require significant - and long overdue - investments," the FCC's settlement notes. "To do so at T-Mobile's scale will likely require expenditures an order of magnitude greater than the civil penalty here."

By our count, the un-carrier has suffered at least [2]seven IT security breaches over a five-year period, resulting in tens of millions of customers' data being stolen and leaked on dark web marketplaces. That said, the settlement officially covers four SNAFUs since 2021.

[3]

When asked about the deal, a T-Mobile US spokesperson told The Register the telco was already trying to shore up its computer security:

We take our responsibility to protect our customers' information very seriously. This consent decree is a resolution of incidents that occurred years ago and were immediately addressed. We have made significant investments in strengthening and advancing our cybersecurity program and will continue to do so.

As far as we can tell, T-Mo has admitted no wrongdoing in settling this case.

As outlined in the agreement, the first of the privacy breaches occurred in 2021. At that time, a criminal [4]gained access to a T-Mo environment remotely, and ultimately stole a ton of sensitive personal and device information, including PINs, belonging to 76.6 million current, former, and prospective T-Mobile customers.

[5]

[6]

The FCC goes into some detail about that data theft:

A threat actor was able to gain access to a T-Mobile lab environment via a piece of telecommunications equipment by impersonating a legitimate connection to the piece of equipment.

Prior to achieving this access, the threat actor appears to have engaged in reconnaissance over a period of months. The threat actor was able to exploit this initial access and successfully guess passwords for certain servers, and then moved across network environments. As a result, the threat actor was able to access another lab environment, in which the threat actor engaged in additional network scanning and password-spraying attacks.

This enabled the threat actor to access other environments containing database backup files and other information. Forensic review confirmed the threat actor was able to exfiltrate data from these environments...

A year later, a crook broke into a management platform that T-Mobile US provides to its mobile virtual network operator (MVNO) resellers using a few different tactics, including an illegal SIM swap involving a T-Mo employee and a phishing attack against another employee.

[7]AT&T, Verizon, Sprint, T-Mobile US fined $200M for selling off people's location info

[8]FCC reminds US mobile carriers that customer data needs to be protected

[9]FCC gets tough: Telcos must now tell you when your personal info is stolen

Then in 2023, a miscreant used stolen T-Mob account credentials to access a sales application and view customer data. The un-carrier clocked this privacy breach after an increase in customer port-out complaints. An internal investigation revealed the attacker had stolen credentials belonging to "several dozen" retail employees, and these are believed to have been swiped in a phishing campaign.

And in a separate 2023 incident, T-Mobile US discovered a data security breach involving [10]one of its APIs . "Human error led to a misconfiguration in permissions settings that allowed a threat actor to submit queries and obtain T-Mobile customer account data," the settlement says. Using this API, the data thieves stole a "limited set" of full customer account data along with about 37 million post- and pre-paid customer accounts.

"Today's mobile networks are top targets for cybercriminals," FCC boss Jessica Rosenworcel said in a statement

[11]PDF

. "Consumers' data is too important and much too sensitive to receive anything less than the best cybersecurity protections."

[12]

To this end, the FCC in February issued [13]updated reporting rules that require telcos in America to officially disclose that a criminal has broken into their systems within seven days of discovering the intrusion.

The new FCC rule came just days after [14]Verizon began notifying more than 63,000 people, mostly current employees, that someone had gained illicit access to their personal information. ®

Get our [15]Tech Resources



[1] https://docs.fcc.gov/public/attachments/DA-24-860A1.pdf

[2] https://www.theregister.com/2023/05/08/in_brief_security/

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zvtz5neLwcA8-e6-TE8osgAAAEs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[4] https://www.theregister.com/2021/08/16/in_brief_security/

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zvtz5neLwcA8-e6-TE8osgAAAEs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zvtz5neLwcA8-e6-TE8osgAAAEs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[7] https://www.theregister.com/2024/04/29/fcc_telecom_fines/

[8] https://www.theregister.com/2023/12/13/fcc_sim_swapping_carriers/

[9] https://www.theregister.com/2024/02/12/fcc_gets_tough_on_telcos/

[10] https://www.theregister.com/2023/01/20/t_mobile_us_data_breach/

[11] https://docs.fcc.gov/public/attachments/DOC-405937A1.pdf

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zvtz5neLwcA8-e6-TE8osgAAAEs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[13] https://www.theregister.com/2024/02/12/fcc_gets_tough_on_telcos/

[14] https://www.theregister.com/2024/02/06/verizon_internal_privacy_breach/

[15] https://whitepapers.theregister.com/



Here we go again.

Alan Mackenzie

Yet another big USA firm guilty of criminal negligence, and rather than the guilty serving time behind bars, their shareholders pay a "fine" equivalent to a few cents per victim (the victims here being those whose data T-Mobile allowed to be stolen). Just a cost of doing business.

The justice system in the USA appears to be purely for the little people, the masses. The "elite" know they can break whatever laws they like without meaningful consequence.

Re: Here we go again.

IGotOut

Shareholders paying?

Nah you got that wrong. It'll be the victims that end up paying...i.e. the customers.

Have I time travelled?

IGotOut

"This consent decree is a resolution of incidents that occurred years ago "

Yes because 2023 was at least 10 years ago, back in the bad old days

Lamonte Cranston once hired a new Chinese manservant. While describing his
duties to the new man, Lamonte pointed to a bowl of candy on the coffee
table and warned him that he was not to take any. Some days later, the new
manservant was cleaning up, with no one at home, and decided to sample some
of the candy. Just than, Cranston walked in, spied the manservant at the
candy, and said:
"Pardon me Choy, is that the Shadow's nugate you chew?"