Skip to content

Urgent Lessons From the T-Mobile Data Breach

A hacker says he broke into the carrier’s network through a router and then ransacked its servers. Here are five ways to stop that from happening to you.


On Aug. 27, the Wall Street Journal reported that a massive data breach against T-Mobile, in which a hacker stole some 50 million customer records, was carried out by a 21-year-old who penetrated the company’s defenses through an unprotected router. The hacker reportedly rummaged through the carrier’s servers for a week before making off with his trove.

News of the hack—and the way it was carried out—must have alarmed business, IT, and security leaders in every industry and government agency. With sprawling digital networks underlying the U.S. economy, infrastructure, and military defense, and with millions of endpoints connected to those networks, how can anyone manage and protect every single one?

“[A]ttacks like this are on the rise and bad actors work day-in and day-out to…attack our systems and exploit them,” T-Mobile’s CEO Mike Sievert noted in a post. He wrote that dealing with the breach was “humbling.” He pledged that “keeping our customers’ data safe is a responsibility we take incredibly seriously and preventing this type of event from happening has always been a top priority of ours.”

Tanium’s Cyber Hygiene Assessment: An actionable path to better endpoint management and security

As CEOs like Sievert—and their IT and security teams—continue to battle what’s become an always-on campaign of cyber assaults from both nation-states and criminal gangs, there are a few lessons from these recent cyberbreaches that everyone should keep in mind.

Below are five of the most important.

Reduce your attack surface

The ability to reduce the attack surface requires that you know what assets your organization has and where they are located. Without an up-to-date inventory, any effort to secure your assets will be incomplete. But the effort to find assets can be complicated. Companies merge. They acquire other companies. Those companies may use their own internet connections.

Attacks are on the rise and bad actors work day-in and day-out to find new avenues to attack our systems and exploit them.

Mike Sievert, CEO, T-Mobile
With such sprawl, you need an always-on method to discover assets and to classify them. Once you know your assets and which ones are external, you can begin to reduce the attack surface.

It’s important to scan and understand your external perimeter the same way a hacker would.

Once you inventory everything in your network, you need to make your external environment boring to a hacker: Anything other than corporate branded websites and 100% necessary externally facing ports should not be accessible. The more information and services you make available to the public, the more you need to secure and shield those services from attackers.

Organizations provide externally facing services (such as websites and services for consumers and partners) in demilitarized zones (DMZs)—the networks that sit between the public internet and private networks. If those subnetworks are not properly configured, then websites and services can become exposed and exploitable.

[Read also: Asset discovery and inventory: the foundation for visibility and device management]

Sometimes, to expedite administration or access, a web service will be opened directly to the internet. But companies should not expose administrative services to the internet. The internet is constantly being attacked from the perimeter, and any direct or even indirect access can spell trouble for your network and ultimately for your organization and its resilience.

By undertaking a scan from the external perimeter, you can quickly see the services that are exposed in the same way a hacker would. It’s a good idea to monitor your systems to ensure that the services on your perimeter are not communicating with administrative or unauthorized services. Continually performing asset discovery inside the DMZ is critical to ensure that devices are not added without being brought through the onboarding process.

Manage your configurations

As Tony Robbins says, “Complexity is the enemy of execution.”

He could have had an illustrious career as a CISO. His maxim serves cybersecurity well. It turns out that simplification is the key to security, especially in today’s growing network complexity. Organizations must first find and inventory all their assets and endpoints. You can’t manage what you can’t see. Once you see everything in your network, only then can you secure it. And the best next step is managing your configurations, which many don’t do well.

In fact, among 300 CISOs surveyed by IDC last year, privileged access and configuration controls were a top threat to cloud risks—with 63% of those security leaders (most of whose organizations had experienced at least one cloud breach in the previous 18 months) saying it was a critical challenge to protect sensitive data.

It’s little wonder. IT teams often make critical mistakes in configuring their controls. Or they give each a different configuration, creating complexity and introducing unnecessary vulnerabilities. The thinking is that if all assets have the same configuration and get the same updates, then they will all have the same vulnerabilities. But that can actually be a good thing.

Having only one (or minimal) configuration per asset type allows you to devote time and resources to strengthening and testing just one configuration. If systems deviate from a planned configuration, your question should be why? What processes have broken down to make that happen?

Block lateral movement

Once hackers gain a foothold in an enterprise, their next move is often to push deeper into IT systems. The T-Mobile hacker reportedly said he breached a single router and then burrowed into the company’s servers. He probably did this by moving laterally across the network until he found the data he sought. Hackers move laterally by hopscotching from one endpoint to the next, capturing user access credentials through keystroke logging or other specialized tools.

“With the right credentials, they can get themselves anywhere they want to go,” Ben Rothke, senior information security manager at advertising and content delivery provider Tapad, tells Endpoint. With those credentials, says Rothke, the hacker can gain access to networks, applications, and even the cloud console used by an administrator. That makes preventing, identifying, and blocking lateral movement essential in defending any organization.

[Read also: Lateral movement: how cybercriminals move across your network and how to stop them]

Fortunately, there are several things you can do. First, make it as difficult as possible for an attacker to move laterally. You do this by raising the cost of success for the attacker. Make their lives hard by practicing the essentials of good cyber hygiene. That should include the previously mentioned management of assets and configurations, and also regular patch management.

You must also manage identities. It’s essential to know who has the credentials to access critical applications and networked resources. The principle of “least privilege” reduces the internal attack surface, giving users access only to the resources they absolutely need to do their jobs.

Be a proactive threat hunter

Why? Because it’s not a matter of when, but how.

Enterprises can no longer afford to wait until someone else is breached and then go looking for the same malware or hacker in their own systems. They need to proactively threat hunt, identify deviations of norms in their networks, and do something about them.

That means first identifying specific indicators of compromise (IOCs) and then looking for them regularly. These could be known hacker processes or tools, used against others in the industry. Focus on identifying hacker tactics, techniques, and procedures (TTPs). For example, hackers need to conduct reconnaissance to identify targets of value and move laterally in a network.

Since there are only a few methods by which hackers can move through an environment, seeking out their TTPs is the best way for a threat-hunter to find them. Among the questions you should ask: How do I find deviations from the norm? What are the norms I should monitor? (Network traffic from critical databases or servers may be one.) Am I as nimble as my would-be attackers? If not, how can I be?

[Read also: What are today’s biggest IT and cybersecurity challenges?]

Of course, once you find intruders, you need to remove them. That’s where being nimble counts. Because a few hours or days can make a big difference. How have you flattened your reporting so that the people who need the information receive and examine it quickly?

And finally: Protect your passwords!

Passwords are a key part of the new network perimeter for many organizations. As millions of remote workers access corporate networks and cloud-based apps over endpoint devices like laptops, PCs, and tablets, each of those endpoints becomes a potential entry point for mischief.

Passwords are designed to keep the bad guys out. But humans are fallible and don’t always use passwords appropriately. You might think Marlins1234 is a perfectly strong key to your digital locks. But one look at your social network and a hacker will be able to guess that password with little effort. For proof, take a look at the 200 most common passwords.

Millions of American workers are bad at password hygiene. More than half (57%) said in a recent survey that they write their work-related passwords on sticky notes, according to Keeper Security. That’s carelessness. And it’s only increased since the pandemic. The same survey found that 66% of workers are more likely to write down passwords when working from home.

[Read also: Why we still need World Password Day]

Of course, in today’s environment, multifactor authentication (MFA) is also a must. Websites, applications, and enterprise networks often use MFA by pairing password logins with third-party authenticator apps that users can access over a smartphone. However, MFA is not a panacea, especially if carriers like T-Mobile are being attacked. As organizations look to the future, many are evaluating zero-trust network access for additional security on top of legacy password controls.

And if all else fails, call this guy.

Boyd White

Boyd White is a director of technical solutions engineering at Tanium. He began his career with the NSA and has experience in all aspects of information security. He also contributed to the creation of the National Institute of Standards and Technology Cybersecurity Framework.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.