July 17, 2019

Sprint data breach highlights “importance of third-party risk assurance”

By Robert Scammell

US mobile network operator Sprint has confirmed that it suffered a data breach in which attackers had access to customer details such as first and last names, phone numbers and billing addresses.

Attackers accessed Sprint accounts using customer account credentials via the Samsung.com ‘add a line’ website. Once they had access, they gathered further personal information from Sprint accounts.

Other compromised information includes device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility and add-on services.

In a letter to impacted customers, shared by ZDNet, Sprint said it has “not identified any fraudulent activity” associated with affected accounts.

Sprint said that it reset PINs as a security precaution on 25 June, three days after the data breach, It added that “no other information that could create a substantial risk of fraud or identity theft was acquired”.

Sprint has so far remained tight-lipped about the number of customers affected, or whether the attackers modified any account details.

“It could be possible that Sprint is still collating the information, but transparency and clarity of impact is vitally important for companies in the aftermath of an incident. Delays to sharing information can undermine customer confidence,” said Javvad Malik, security awareness advocate at KnowBe4, a cybersecurity awareness training company.

Sprint data breach: Source of initial login credentials unknown

Malik added that the Sprint data breach highlights the “importance of third-party risk assurance”.

“When security is built-in at an early stage, the architecture can be designed in a more secure manner so that external, or even internal departments which don’t need access to functions cannot make any unauthorised changes,” he said.

Samsung has admitted that it was the source of the leak, but said the credentials used to gain initial access were obtained elsewhere.

“Samsung takes security very seriously. We recently detected fraudulent attempts to access Sprint user account information via Samsung.com, using Sprint login credentials that were not obtained from Samsung,” a Samsung spokesperson told The Register.

“We deployed measures to prevent further attempts of this kind on Samsung.com and no Samsung user account information was accessed as part of these attempts.”

Saryu Nayyar, CEO of cybersecurity firm Gurucul, said that the malicious activity should have notified Sprint sooner.

“While details of this breach are scant, the reality is that a volume of accounts were compromised via a third party site. The spike in activity of ‘add a line’ transactions or visits to the ‘add a line’ website should have triggered alarm.

“That type of activity is both anomalous and risky. It should have set off alarms to be investigated by the Sprint security team. Once again, defending breaches after-the-fact is ineffective.”

Boris Cipot, senior security engineer at software company Synopsys gave concerned customers the following advice:

“In addition to changing PIN numbers, as recommended by Sprint, I would also advise users to change their account credentials for the Sprint portal. As we know, many people use the same username and password for many different accounts, so it would be advisable to change those also. In any case, it would be advisable for everyone to change their password every now and then and not use the same credentials for different services.”

The Sprint data breach follows a third party breach in March, in which attackers used details from its virtual mobile network operator Boost Mobile to access users’ Sprint accounts.

The Sprint data breach will be seen as poor timing for the North American firm as it awaits approval for a merger with T-Mobile.

Read more: PCM data breach highlights risks of third-party cloud providers


Verdict deals analysis methodology

This analysis considers only announced and completed cross border deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: ,