T-Mobile announced at the end of July 2022 that they have been fined $350 million on fund claims, legal fees and administrative costs. Further, the company have agreed to use an additional $150 million to upgrade and improve their security infrastructure, after falling victim to a cyber attack that compromised personal data belonging to 77 million current, former, and T-Mobile prepaid customers. The agreement was made and signed in the US District Court for the Western District of Missouri.
The breached personal data included names, addresses, birth dates, phone numbers, email addresses, as well as IMEI and IMSI information for about 7.8 million US customers.
Another 70 million former US customers had their names, dates of birth, social security numbers and drivers’ licenses leaked. The malicious actor who took responsibility for the hack has claimed to pierce T-Mobile security defences using T-Mobile VPN credentials purchased on the dark web.
What is a VPN?
A VPN (Virtual Private Network) is a necessity in modern security architecture for online security, privacy and protection from malicious actors/hackers. The purpose of companies using VPNs is to mask and encrypt data and IP information which allows their employees to access company resources from remote locations without compromising the data on networks which may lack necessary security controls.
Why have VPN attacks become more common?
VPN routers have become a popular way for attackers to intrude on company networks and security infrastructure. Virgin Media fell victim to this type of attack in 2021. Attackers were able compromise Virgin Media routers within the UK and unmask true IP addresses. They then intercepted user network traffic to uncover further information, all achieved by exploiting a vulnerability in the VPN. The privacy implications of this were severe. This is one of many examples of how vulnerabilities are present in VPN routers, even if they belong to a trusted vendor. Vulnerabilities found in routers added to the increase in VPN traffic has encouraged attackers to exploit VPNs as a valuable method of attack. It allows the attacker to gain access to data with the overall goal of demanding a ransom fee from the victim, or selling the information on the dark web.
The pandemic accelerated remote working. With it came an increase in VPN traffic, as employees use VPNs to access company resources when they are away from the office. If hackers compromise a VPN, they gain access to the whole company network, as often organisations aren’t deploying network segmentation, or limitations of access to information, for their employees.
Lastly, IT and security teams tend to prioritise other actions to improve company infrastructure. This means that patches and updates to protect VPNs are delayed or just not implemented, due to the stigma that VPNs guarantee a degree of safety.
What can organisations do to defend themselves from VPN attacks?
It is important for companies to ensure that their security is robust and up-to-date in order to avoid falling victim to cyber attacks. Vulnerabilities in a company’s infrastructure can compromise personal data and sensitive information as seen in the T-Mobile case. Companies must ensure the following to limit the risk of falling victim to these types of attacks:
- Patch all VPN servers, firewalls and routers on a regular basis.
- Provide regular training on VPN security and social engineering to employees.
- Access controls (including Multi-Factor Authentication) must be implemented throughout the network. Privileged access segmentation must be implemented, preventing easy access to the company’s whole network if a VPN is breached.
- VPN usage must be monitored so that companies can prioritise safety controls depending on VPN traffic levels.