When two of the largest technology companies in the United States are attacked by cybercriminals, you pay attention. In 2021, both T-Mobile and BlackBerry faced public scrutiny after they failed to promptly inform customers and the public of server and software vulnerabilities that affected millions of people.
As a result of companies being slow to report attacks, it is now being debated on whether or not there should be legislation that would require companies to report incidents to the federal government within a certain time frame. If the time frame is not met, companies could be faced with a hefty fine.
T-Mobile, a wireless voice, messaging, and data services company, was at the center of a data breach that exposed sensitive information of more than 50 million current, past, prospective customers. The breach, which exposed the names, addresses, driver’s licenses, social security numbers, IMEI numbers, and ID information, came to light on August 15, 2021, when hackers claimed to have accessed the data of over 100 million people.
The attackers were able to access the data by compromising multiple backdoored servers. The ringleader of the attack was 21-year-old American hacker, John Binns. He infiltrated the servers when he found an opening in T-Mobile’s wireless data network that allowed access to two of their customer data centers.
The breach was one of the most significant because of the number of records exposed and the regulatory repercussions that could possibly take place. The attacker who was selling the information on a forum asked for 6 bitcoin (about $270,000) for a portion of the data containing 30 million social security numbers and driver’s licenses.
Image 1: Customer Data for Sale on Forum
T-Mobile Customer Data for sale – krebsonsecurity.com
When Vice.com initially broke the news of the breach, T-Mobile waited until August 16, 2021, before confirming that the breach happened. Customers went an entire 24 hours reading headline after headline from media outlets, without ever hearing a word directly from T-Mobile regarding their compromised information. The only statement T-Mobile gave when the news broke, was to Motherboard, Vice.com’s technology website. They also repeatedly turned down follow-up questions regarding the scale of the attack.
“We are aware of claims made in an underground forum and have been actively investigating their validity. We do not have any additional information to share at this time.” – T-Mobile (csoonline.com)
When T-Mobile finally addressed their customers, they simply said that they were aware that data “may have been” accessed illegally and were investigating the matter with digital forensic experts.
Image 2: T-Mobile’s Response
By the time T-Mobile kicked the attackers out of their servers, the damage was already done. The attackers downloaded the data locally and backed it up in multiple places. On August 17, 2021, T-Mobile confirmed that the data breach affected approximately 7.8 million current customers and 40 million former and prospective customers. They also finally confirmed that personal information was stolen, including PIN numbers, names, and phone numbers of 850,000 pre-paid customers. By August 20, 2021, another 5.3 million existing customers and 667,000 pre-paid customers were found to be affected by the breach.
As a result, T-Mobile offered two years of free identity protection services and offered pre-paid customers its Account Takeover Protection service. A unique web page was published for customers seeking information and solutions on how to further protect themselves.
In August 2021, a Canadian cybersecurity company discovered a flaw (BadAlloc) in BlackBerry’s QNX Real-Time Operating System software (QNX RTOS). The flaw, which could allow cybercriminals to execute an arbitrary code or flood a system with traffic, could also crash the operating system and cause major issues. BadAlloc left two hundred million cars, as well as hospital and factory equipment, susceptible to an attack.
Now, medical equipment in several fields relies on QNX RTOS, as well as several car manufacturers like BMW and Volkswagen. Components of the International Space Station and rail equipment also rely on the software. While BlackBerry reported that there weren’t any incidents of attackers compromising the software as it relates to cars or medical equipment, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated that the flaw “could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions.”
According to Politico.com, Blackberry initially denied BadAlloc (CVE-2021-22156 ) affected its products, and they declined to make a public announcement. In April 2021, Microsoft stated they discovered the vulnerability in several companies’ operating systems and software. In May 2021, Companies who used QNX RTOS became aware of BadAlloc, went public with the news, and urged users to patch their devices.
It wasn’t until CISA urged BlackBerry to accept that their software was compromised, did they make a public statement of acknowledgment – months after initial reports. Digging themselves into a deeper hole, BlackBerry said it had no intention of publicly dealing with the issue. They wanted to reach out to their customers directly to warn them about the issue with QNX RTOS.
Image 3: BlackBerry’s Response
Statement from BlackBerry.com
The problem with BlackBerry’s approach of handling the issue privately is that their outreach would only cover a fraction of the companies that were affected. BlackBerry doesn’t know everyone who is using the software because the company licenses QNX RTOS to original equipment manufacturers (like how Microsoft sells Windows to HP). This means that the company doesn’t know where its software ends up and the customers using it, don’t know where the software originated. Many customers would have to be informed by the federal government or by the original equipment manufacturers to know about the software flaw – meaning BlackBerry’s quiet approach would leave many users of QNX RTOS in serious danger.
Naturally, people were not happy with the way T-Mobile and BlackBerry handled their respective situations. T-Mobile’s customers were on edge waiting for more information about their personal data and media outlets didn’t have concrete answers as to what exactly happened or how it happened. BlackBerry continued to deny that they even had an issue until CISA stepped in, encouraging them to accept that they had a problem that needed to be fixed.
Sometimes, companies try to keep vulnerabilities private to keep attackers in the dark about the company’s next steps, but they also keep quiet to keep backlash and financial loss at a minimum. Public embarrassment or shame may be another reason why incidents are hushed. However, not reporting data breaches or vulnerabilities within a certain time frame may end up costing companies much more than embarrassment.
Currently, there are no federal laws that govern how long a company has before they are required to report a data breach. On September 1, 2021, Congress began examining a House of Representative bill that includes how quickly companies need to report attacks (between 24 or 72 hours), what kind of compromises need to be reported to CISA, and should a fine be implemented if there is non-compliance.
T-Mobile and BlackBerry may be the focus for now, but they are on a long list of companies who have come under scrutiny for the timeliness of reporting attacks. Last year, it was discovered that the software company, SolarWinds, as hacked and exposed nine federal agencies, and about 100 companies in a supply chain attack. They too took their time with reporting the incident, leaving attackers with 14 or more months of unrestricted access. This incident left the federal government appear incompetent.
At Congress, industry organizations from banking, energy, and information technology, and telecommunications explained to the cybersecurity subpanel of the House of Homeland Security Committee, that they favored the House bill that would forbid CISA from writing rules requiring that they report breaches within 72 hours. Additionally, a Senate bill proposed that there be a 24-hour window to report breaches, as well as reporting requirements on additional companies, such as incident and response firms and government contractors.
Even if legislation regarding the turn-around on reporting breaches doesn’t happen, there are still consequences that your organization could face in all 50 U.S. states. Every state has at least some form of data breach notification law that they will and have used against organizations. California, Delaware, and Illinois have data breach notification laws for instances where a customer’s personal identification is compromised.
While Congress goes back and forth with legislation surrounding data breach notification, certain states are taking matters into their own hands. Massachusetts Attorney General, Maura Healey, announced that her office is investigating T-Mobile. They want to determine if the cellular company had safeguards in place to protect their customers and their data.
Healey stated that under Massachusetts law, companies are required to notify her office if there is a data breach. Because T-Mobile waited to notify her office, part of the investigation is finding out what took them so long.
Regarding the T-Mobile data breach, is it time for a U.S equivalent to a GDPR type of law when it comes to data protection? The California Consumer Privacy Act, (June 2018), or the more recent Virginia Consumer Data Protection Act (March 2021) state level legislation is a start. If these telecommunication giants are going to warehouse data, they must provide adequate security controls to protect it.
Also, due to a lack of a current comprehensive Cybersecurity Law in the U.S, the FCC and FTC have limited leverage on the telecommunication companies. It's more likely that more pressure will come in a class-action lawsuit and loss of subscribers - Churn as it's known in the industry. If consumer data isn't secure, they may go to another vendor where they feel it is more secure. The question is, will it really be secure, and will they be notified if there is a breach?
Until there is substantial legislation put in place (like a GDPR equivalent) at a national level, there is little motivation for the telecommunication giants to do more. In the T-Mobile breach where it took several months for public disclosure, there might be some small payouts in a class-action suit, and credit monitoring service for a year or two. Is this just the cost of doing business for them?
If a data breach happens to your organization, you don’t have to keep it a secret. As you can see from our research, there are vast consequences for not reporting breaches within a reasonable time frame. Waiting weeks, months, or (in SolarWind’s case) 14 months is not acceptable.
You aren’t the first to be affected by cybercrimes that expose sensitive data and you won’t be last. There is help if you need it – help that could mean the difference between lost respect and gained respect if you respond to the attack within a decent amount of time.
Avertium’s DFIR (Digital Forensics and Incident Response) services are offered as an on-demand crisis response service as well as a retainer-based program, that helps organizations like yours protect customers. Not only will we solve the root issue of your breach, but we will also help you and your team navigate potential legal and reputational liabilities. Our job is to help you assess, contain, eradicate, and recover from security incidents to minimize impact and return your business to normal operations. Some of the incidents we encounter are:
If you want to know more about this crucial service, please read our service brief here. Remember, it will cost you less, in the long run, to be accountable and respond in a timely way than to accidentally imply that you don’t care about protecting your customers’ privacy.
CISA (Cybersecurity and Infrastructure Security Agency) – The Nation’s risk advisor. They work to defend against cyber threats and collaborate to build more secure and resilient infrastructure for the future. They also work with the federal government to provide cybersecurity tools, incident response services, and assessment capabilities to safeguard “.gov” networks.
IMEI (International Mobile Equipment Identity) numbers – Every mobile phone is assigned an IMEI number. It’s unique to that phone and is printed on the inside of the phone, behind the battery pack. They are 15 digits and remain unchanged once registered. It’s the first thing you are asked if you lose your phone or if it gets stolen.
QNX Real-Time Operating System (QNX RTOS) – an embedded operating system that is used for ventilators, train controls, factory automation systems, medical reboots, and more.
T-Mobile says hackers accessed user data but won't confirm SSN breach of 100 million customers | ZDNet
The T-Mobile data breach: A timeline | CSO Online
Our Response to the Data Breach (Aug 2021) | T-Mobile
BlackBerry resisted announcing major flaw in software powering cars, hospital equipment - POLITICO
T-Mobile Data Breach: Massachusetts AG Maura Healey Launches Investigation – NBC Boston
T-Mobile data breach under investigation by Massachusetts Attorney General Maura Healey (wcvb.com)
T-Mobile Investigating Claims of Massive Data Breach – Krebs on Security
Breach notification window, accountability is the focus of the coming fight on cyber legislation in Congress - CyberScoop
ABOUT CISA | CISA
IMEI vs IMSI Number: What You Need to Know About Them (guidingtech.com) Embedded OS, Support and Services | RTOS, Hypervisor | BlackBerry QNX
What Are the Risks of Not Reporting a Data Breach? - Spirion
This document and its contents do not constitute and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of the Client's compliance with any law, regulation, or standard.