Since the start of the year, cyberattacks targeting US telecommunications companies have been relentless, with over 74 million private records tied to customers of AT&T, T-Mobile, U.S. Cellular, and Verizon spilling onto the dark web.
In report posted by Cyble Research and Intelligence Labs, six previously reported data breaches impacting telecoms since the start of the year were carried out by exploiting security weaknesses on third-party vendor networks.
The vast majority of these breaches were caused by third-party vendors, software, and MSPs (managed service providers).
The breaches have led to targeted SIM swapping attacks on Google Fi, which uses T-Mobile as its primary service provider.
Another concern is that telecom networks “are widely used for multi-factor authentication and for sharing of business data (making them attractive targets,” said Bud Broomhead, CEO at Viakoo. The timing of when a breach is reported matters: the faster, the better to shrink the vulnerability window.
In response to the breaches in the telecommunications sector, the FCC issued a statement pushing for a change in current breach notification guidelines, proposing the removal of the compulsory seven-day waiting period before customers are notified of breaches, as well as expanding the scope of federal agencies that receive breach notifications to include the FCC, FBI, and the U.S. Secret Service. The threat landscape has shifted to more diverse types of threats, with adversaries interested in telco customer data to perpetrate additional crimes such as SIM jacking.
Third-party security risks are often hard to identify by downstream firms, and these risks have resulted in some of the past years’ biggest cyberattacks.
Telecoms companies must take third-party risks seriously and implement organization-wide zero-trust policies to minimize supply chain compromise.
The forthcoming National Cyber Strategy is expected to push for stronger public incident reporting, including in incident reporting.