Over 74 Million US Telecommunications Clients’ Data Leaked
The Telecommunications sector is part of the critical infrastructure of any nation, as the backbone for communications and coordination. According to Kepios’ research, the number of internet users in 2023 will stand at 311.3 million, with an internet penetration rate of 91.8% of the total population. This presents a growing lucrative threat attack surface for threat actors, ransomware, and APT (Advanced Persistent Threat) groups.
Since January, Cyble Research and Intelligence Labs have observed that hackers have targeted several U.S. telecommunications companies.
- On January 5, 2023, ransomware group CL0P targeted CGM LLC, a U.S. SaaS (Software-as-a-Service) provider that helps telecommunications companies participate in the Affordable Connectivity Program. The leaked screenshots included identifications submitted by disadvantaged applicants to the program.
- On January 6, 2023, T.A. (Threat Actor) IntelBroker claimed to have found a third-party vendor’s unsecured cloud storage containing 37 million AT&T client records. The TA shared a sample of 5 million records and was aided in attributing the leak by other T.A.s on the forum.
- On January 19, 2023, T-Mobile filed a report to the SEC notifying of a bad actor who took advantage of the carrier’s API (Application Programming Interface) vulnerabilities to exfiltrate 37 million customers’ PII (Personally Identifiable Information). T-Mobile has notified the affected clients and stated they are working with law enforcement. This attack led to targeted SIM swapping attacks on Google Fi, which uses T-Mobile as its primary service provider.
- On January 18, 2023, TA IntelBroker offered to sell 550,000 records of Charter Communications users. The TA then followed up by leaking the database for free on January 26, 2023. The data contained addresses and account numbers, as well as service details. A spokesperson acknowledged the leak but stated that the source was likely a third-party vendor.
- On January 27, 2023, IntelBroker leaked a database, allegedly from Verizon, for free. This database contained 7.5 million clients’ records, only first names, device types (Apple or Android), and service plans. Verizon verified that the data leak was legitimate and originated from a vendor which creates videos to assist clients. The vendor did not have access to PII aside from first names.
- On February 1, 2023, IntelBroker shared a database of 144,000 client records from U.S. Cellular. The records included PII such as emails, addresses, device information, phone number, and subscription service details. U.S. Cellular stated that the data is outdated and had been shared with a vendor.
Most of the breaches mentioned above can be attributed to third-party vendors. Third-party breaches through vendors, software, and MSPs (Managed Service Providers) caused several prominent incidents, including the Okta breach in March 2022, the Kaseya hack in July 2021, and most recently, the leak of 77,000 Uber employees’ data through its third-party vendor Teqtivity.
These third-party breaches can lead to a larger scale supply-chain attacks and a greater number of impacted users and entities globally. Typically, Scammers often take the leaked information, compile it with information from other breaches or publicly accessible sources, and attempt identity theft, financial fraud, extortion, or harassment. This was seen after the Optus data breach, where a sample of 10,000 records shared by the T.A. was used in an attempt to extort the users.
Companies’ post-breach response typically includes contracting auditors and information security companies as well as offering short-term credit monitoring to protect against fraud. However, these are reactive measures. Ideally, GRC (Governance, Risk, and Compliance) should direct companies to maintain adequate policies and procedures to protect against threats proactively. These include:
- Creating a complete list of third-party vendors and technologies. This list can then be leveraged to assess the importance and sensitivity of services provided by each vendor/technology stack and the risks presented by each. Accordingly, companies should maintain comprehensive Software Bill of Materials (SBOM)
- Researching third-party vendors’ compliance with industry standards and previous audit results and requesting a new audit by a third-party auditor if necessary.
- Regularly assessing and reviewing the third party’s access to the data in terms of amount, means of transfer, and sensitivity.
- Performing regular VAPT (Vulnerable Assessment and Penetration Testing) should be performed and should cover third-party vendors as well.
- Obtaining cyber insurance and requiring vendors to also have cyber insurance policies. This requirement ensures that vendors have reviewed their own practices, as well as a smoother recovery from cyber incidents covered by the insurance policy.
- Keeping up to date on current threats and TTPs commonly used by Threat Actors, such as exploiting APIs, exploiting misconfigured cloud storage, phishing, etc.
- Supply chain compromise can be minimized through the implementation of organization-wide zero-trust policies.
In response to the breaches in the Telecommunications sector, on January 5, 2023, the FCC issued a statement pushing for a change in current breach notification guidelines, proposing the removal of the compulsory seven-day waiting period before customers are notified of breaches, as well as expanding the scope of federal agencies that receive breach notifications to include the FCC, FBI, and the U.S. Secret Service.
“The law requires carriers to protect sensitive consumer information, but, given the increase in frequency, sophistication, and scale of data leaks, we must update our rules to protect consumers and strengthen reporting requirements.”FCC Chairwoman Jessica Rosenworcel