Sprint customers victim of another hack

Sprint is the latest telco to become the victim of cybercrime as an unknown number of customers have had their personal data eyed over by nefarious parties.

In a letter sent to customers, Sprint has suggested a huge amount of personal information has been exposed to the darker corners of the internet. The hackers gained access via the Samsung ‘add a line’ website, with the total number of impacted customers being unknown for the moment.

“On June 22, Sprint was informed of unauthorized access to your Sprint account using your account credentials via the Samsung.com ‘add a line’ website,” the letter states. “We take this matter, and all matters involving Sprint customer’s privacy, very seriously.”

An ‘add a line’ website is one utilised by third-parties, mainly device manufacturers, if customers want to add an additional phone line to an existing contract with a telco. Sprint offers this feature to customers who would like to add more individuals or devices to existing contracts.

This is of course not the first time Sprint customers have been the victim of the darker practices of the web, with the pre-paid brand Boost being compromised in March. Again, Sprint was not transparent with the severity of the breach, though in this instance a common technique called a credential stuffing attack was used.

Looking at the latest breach, exposure is quite severe. The hackers gained access to phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address and add-on services.

Sprint has played down the risk in the letter, suggesting no other information ‘that could create a substantial risk of fraud or identity theft’ had been accessed. Sprint might want to play down the severity of the hack, but many will disagree with the laissez faire attitude.

“When attackers manage to hijack legitimate access rights, they can remain undetected for extended periods of time,” said Saryu Nayyar, CEO of cybersecurity firm, Gurucul.

“Many organisations don’t have the ability to identify subtle behavioural anomalies that are indicators of cyber threats. But with advanced machine learning algorithms it’s possible to spot behaviours that are outside the range of normal activities and intervene before the damage is done.”

Details are relatively thin on the ground right now, it is possible Sprint does not fully understand the severity of the breach at this point, though this is further evidence of security being an afterthought. Attitudes are changing for the better, though it is clear not enough firms are secure enough for today’s digitally-defined society.

Uber concealed data hack affecting 57 million users for a year

Hackers accessed a bunch of data on Uber drivers and customers in late 2016 but the company chose not to notify either regulators or those affected.

This is just the latest legacy bestowed on Uber CEO Dara Khosrowshahi by his predecessor and Uber founder Travis Kalanick. The company seems to be a magnet for controversy and recently had its license to operate in London revoked over public safety concerns. Khosrowshahi was brought in earlier this year to steady the ship, but skeletons keep emerging from the corporate closet.

“I recently learned that in late 2016 we became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service that we use,” wrote Khosrowshahi in an announcement. “The incident did not breach our corporate systems or infrastructure. Our outside forensics experts have not seen any indication that trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth were downloaded.”

From the many reports on this it appears the hackers got hold of some login details for an AWS account and it was from there that they downloaded the data. They then used that data to blackmail Uber, in the manner that is becoming increasingly common in the cyber-crime world.

Data breaches have become so common in recent years that we might not have even bothered reporting on this one were it not for the way Uber handled it. Apparently it paid the hackers $100,000 to delete the data and keep quiet, and then made out like the payment was a ‘bug bounty’ that is commonly paid to by companies to hackers to test their security.

“At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals,” wrote Khosrowshahi. “We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed. We also implemented security measures to restrict access to and strengthen controls on our cloud-based storage accounts.”

The dodgy part of all this is the extent to which it was hushed-up. Uber’s Chief Security Officer – Joe Sullivan – has already been shown the door for the part he played in it and it asks further questions of Kalanick, who remains on the company’s board. The New York Attorney General has already opened an investigation into the matter and given the company’s track record it can expect to be given little benefit of the doubt.