Sprint is the latest telco to become the victim of cybercrime as an unknown number of customers have had their personal data eyed over by nefarious parties.
In a letter sent to customers, Sprint has suggested a huge amount of personal information has been exposed to the darker corners of the internet. The hackers gained access via the Samsung ‘add a line’ website, with the total number of impacted customers being unknown for the moment.
“On June 22, Sprint was informed of unauthorized access to your Sprint account using your account credentials via the Samsung.com ‘add a line’ website,” the letter states. “We take this matter, and all matters involving Sprint customer’s privacy, very seriously.”
An ‘add a line’ website is one utilised by third-parties, mainly device manufacturers, if customers want to add an additional phone line to an existing contract with a telco. Sprint offers this feature to customers who would like to add more individuals or devices to existing contracts.
This is of course not the first time Sprint customers have been the victim of the darker practices of the web, with the pre-paid brand Boost being compromised in March. Again, Sprint was not transparent with the severity of the breach, though in this instance a common technique called a credential stuffing attack was used.
Looking at the latest breach, exposure is quite severe. The hackers gained access to phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address and add-on services.
Sprint has played down the risk in the letter, suggesting no other information ‘that could create a substantial risk of fraud or identity theft’ had been accessed. Sprint might want to play down the severity of the hack, but many will disagree with the laissez faire attitude.
“When attackers manage to hijack legitimate access rights, they can remain undetected for extended periods of time,” said Saryu Nayyar, CEO of cybersecurity firm, Gurucul.
“Many organisations don’t have the ability to identify subtle behavioural anomalies that are indicators of cyber threats. But with advanced machine learning algorithms it’s possible to spot behaviours that are outside the range of normal activities and intervene before the damage is done.”
Details are relatively thin on the ground right now, it is possible Sprint does not fully understand the severity of the breach at this point, though this is further evidence of security being an afterthought. Attitudes are changing for the better, though it is clear not enough firms are secure enough for today’s digitally-defined society.