Mobile Provider Data Breaches: Know Your Risks

Last week, AT&T reported the latest in a series of high-profile data breaches. The company announced that approximately 9 million customer records, including names, email addresses, phone numbers and account numbers, were stolen from a third-party marketing firm that had been given access to the data by AT&T.

How do these large-scale data breaches happen?

In several recent cases, criminals targeted marketing firms that provide advertising to mobile carriers or that develop campaigns for mobile users. In the AT&T case, it was noted that the stolen data included eligibility for phone upgrades, making it reasonable to assume that the data breach was related to customer marketing. AT&T gave its customer data to a marketing firm to sell upgrades. The marketing firm was breached.

In other cases, companies that display ads on mobile devices have suffered significant data breaches exposing millions of customer records. In all of these cases, criminals did not target the mobile provider itself, but the third-party agency. Mobile providers typically have strong cyber security practices; the third parties they share your data with may not, making you vulnerable.

What are the risks from mobile data breaches?

Mobile data breaches can carry a particular risk for customers. As reported by Axios, criminals can use personal data from these breaches to launch SIM-swapping attacks, where a criminal clones a SIM card and then uses it to steal multifactor authentication codes. Ordinarily, a criminal who steals your username and password cannot access your accounts if you have two-factor authentication that sends a confirmation code to your phone. If the criminal can clone your phone number with information stolen from a data breach, they can then get the code and access your accounts.

In other words, criminals can defeat two-factor authentication, log in to your accounts and steal or wreak havoc at will. If you see authentication code requests that you did not initiate, log in to the affected accounts immediately and change your password, because it could mean someone is trying to gain access.

A lower level of risk comes from the exposure of phone numbers and email addresses. These will be sold to criminals for spam emails and phishing attempts. If you are a high-value target for hackers, you need to change your passwords and your multifactor authentication method.

What should I do to protect myself from criminal misuse of my data?

Assume that some of your personal data has been compromised. More than 74 million personal records have been posted to the Dark Web so far in 2023, according to Cyble. Next, think like a criminal.

Criminals gather several types of personal information to carry out hacks and phishing attacks. They need your name, address, email and phone number to start. Any additional information they can gather, including passwords or usernames, makes it easier for them to launch an attack.

The best defense is to change your passwords frequently and to be vigilant. Set up two-factor authentication with immediate alerts to your mobile device. The safest way to do this is to have a separate email that you use only for authentication that you never share or use for any other purpose. Have alerts sent to you whenever there is an authentication request sent, rather than having text alerts sent directly to your phone. In many cases, this thwarts SIM swapping.

If you have significant concerns, you may need to get a new phone number, which renders information stolen from data breaches useless. This poses a significant challenge for most people. Acquiring a low-cost second phone that you use solely for authentication can solve the problem without requiring you to change your primary number.

Whenever you can, opt out of data-sharing programs with your mobile provider. They will attempt to discourage this, but doing so removes one avenue that criminals can use to compromise your cyber security.

Are you vigilant with your personal data? Are you vigilant with data on the job? Would you be able to stop a phishing attack launched by a phone call from a criminal? Explore our CSI Protection Certification to develop the skills you need to stop cyber criminals at home and on the job.