Millions of customer records have been stolen from T-Mobile US, the company confirmed this week. The data breach could turn out to be a costly one for the mobile operator, as new research shows the average cost of a data breach has risen to more than $4.7m.
Details of the breach emerged on Sunday, when 30 million social security numbers and driving licence details appeared for sale on an online forum. The seller said the data came from a cache of over 100 million records stolen from T-Mobile. Yesterday the company admitted it had been subject to a breach, stating “unauthorised access to some T-Mobile data occurred” but added that it was still investigating precisely what sort of data had been taken.
On Wednesday, T-Mobile US said 7.8 million postpaid service customer records were lifted by hackers. The data of about 850,000 prepaid customers was also hacked, as well as more than 40 million records of former or prospective customers.
T-Mobile data breach could be costly
The breach could turn out to be a costly one for the mobile operator, as new research shows the cost of a data breach has risen by 10% in the last year to an average of $4.24m, according to the Cost of a Data Breach report from IBM and Ponemon Institute. The average cost per record is now $161, as opposed to a figure of $146 in 2020. This represents an increase of 14.2% since the 2017 report, where the average was $141. Costs of a data breach can relate to the retrieval of the data itself, as well as compensation to customers, regulatory fines and the cost of lost business
Communications companies generally saw a considerable increase in average data breach costs in the past year, up to 20.3% to $3.62m, though this is still below the global average for other sectors.
How big was the T-Mobile data breach?
The seller, who is believed to be based in Belarus, says they got into T-Mobile's systems via an exposed gateway GPRS support node, part of the infrastructure that connects mobile users to the internet. “From there, we pivoted through several different IP addresses and eventually got access to their production servers," they said. "Everything was stolen."
Telecoms data is especially valuable as it contains so much information explains Amy DeCarlo, principal analyst in security and data centre services at GlobalData. “Some of the most highly valuable information on consumers is attached to a mobile provider," she says. "They have location data, which is the ultimate in information as they will know where the consumer is and where the consumer has been. They know the consumer's habits. They can model that data.”
This sort of information can be useful to cybercriminals who are interested in creating targeted scams, stealing identities or other malicious behaviour, says Erich Kron from KnowBe4, a security training provider. State-backed threat actors could also be interested in getting hold of it, he adds. "Given the size of T-Mobile, there is a good chance that this information could benefit other countries with surveillance programs," he says. "Some cybercriminals might buy the bulk of the information, then resell it in smaller chunks to other criminals."
The records are being sold for six bitcoin, worth around $286,000, a sum that Nathalie Moreno, a partner at law firm Addleshaw Goddard, describes as "an incredibly low amount". This "gives the impression that the hackers are somewhat amateur," Moreno says. "The forensics are going to be called immediately to try to determine what exactly has been accessed, compromised, stolen, and that part is something which can take time.”