Information Technology

Singapore is offering payouts of up to $5,000 for white hackers to uncover security vulnerabilities in systems used by the public sector. The new scheme is the latest in the government’s efforts to involve the community in assessing its ICT infrastructure. The Government Technology Agency (GovTech) said its new Vulnerability Rewards Programme was the third crowdsourced initiative it has adopted to enhance the security of its ICT systems. It also runs bug bounty and vulnerability disclosure programmes, the latter of which is available to the public to report potential security holes. “The three crowdsourced vulnerability discovery programmes offer a blend of continuous reporting and seasonal in-depth testing capabilities that taps the larger community, in addition to routine penetration testing conducted by the government,” GovTech said in a statement Tuesday. 

The government CIO office said the bug bounty programmes were “seasonal”, focusing on five to 10 critical and “high-profile” systems during each run. The new rewards scheme, though, would be ongoing and “continuously test” a wider range of critical ICT systems needed to deliver essential digital services, it said.Depending on the severity of vulnerabilities uncovered, between $250 and $5,000 would be offered to hackers that are approved to participate in the rewards programme. In addition, a special bounty of up to $150,000 could be awarded for vulnerabilities identified to potentially cause “exceptional impact” on selected systems and data. Details outlining such vulnerabilities would be provided to registered hackers and would apply only to selected government systems. According to GovTech, the special bounty would be measured against global crowdsourced vulnerability programmes, such as those run by technology vendors such as Google and Microsoft. 

The new rewards scheme would initially encompass three public-sector systems, namely, SingPass and CorpPass; member e-services under the Manpower Ministry and Central Provident Fund Board; and WorkPass Integrated System 2, which is operated by the Manpower Ministry. The programme will also be extended to include more critical ICT systems progressively, GovTech said. Only hackers who meet a set of criteria will be permitted to participate in the rewards scheme, with checks to be conducted by bug bounty operator, HackerOne. Once approved, participants would have to conduct security assessments through a designated virtual private network gateway provided by HackerOne, and their access withdrawn if they breached the permitted rules of engagement. GovTech’s assistant chief executive for governance and cybersecurity, Lim Bee Kwan, said the government agency first adopted crowdsourced vulnerability discovery programmes in 2018. Since then, it had worked with more than 1,000 hackers to identified 500 valid vulnerabilities. “The new Vulnerability Rewards Programme will allow the government to further tap the global pool of cybersecurity talents to put our critical systems to the test, keeping citizens’ data secured to build a safe and secure smart nation,” Lim said. As of August 2021, the Singapore government had run four bug bounties–each lasting two to three weeks–covering 33 systems. More than $100,000 had been dished out to participants.  The public vulnerability disclosure programme was launched in October 2019 and has led to more than 900 reported vulnerabilities, as of March 2021, involving 59 government agencies. Of those, at least 400 were valid bugs that have since been plugged. A report last month revealed that half of vulnerabilities uncovered in 2020 via the Singapore government’s bug bounty and public disclosure programmes were valid. The public sector recorded a 44% increase in data incidents over the past year, though, none were assessed to be of “high severity”, according to the report by the Smart Nation and Digital Government Office. Some 1,560 SingPass accounts, needed to access e-government services, were involved in a 2014 security breach where users received notifications that their passwords had been reset, despite not requesting to do so. The government then blamed the incident on the likely use of weak passwords or malware that could have been installed on the affected users’ personal devices. Two-factor authentication (2FA) was introduced the following year as part of efforts to strengthen security on the e-government platform. RELATED COVERAGE More

Image: Getty Images
People aged under 18 living in China will now only be allowed to play online games for three hours per week.The new mandate will see minors only be allowed to play one hour of online games on Fridays, Saturdays, Sundays, and on official holidays, according to state media outlet Xinhua. The one hour of online game time for these days will also only be allowed from 8pm to 9pm. The ban, issued by China’s National Press and Publication Administration (NAAP) on Monday evening, is aimed at preventing minors from becoming addicted to online gaming, the report said. In issuing the ban, the gaming regulator reportedly called for online game providers to implement real-name registration and logins, saying online game providers should not allow minors to play online games if they fail to register and log in using their real identifications. The NAAP also reportedly told Xinhua it would increase the frequency of its inspections on online gaming companies to ensure they implement time limit and anti-addiction systems. Prior to the latest measures, Tencent at the start of the month had already announced further restrictions for how much minors could play its flagship game Honour of Kings as part of efforts to appease government concerns. In that restriction, Honour of Kings gamers under the age of 18 had their playing time limited to one hour on regular days and two hours on public holidays.

The expanded gaming ban is the latest among a flurry of moves China has made as part of its local crackdown on tech. In the area of online child protection alone, Beijing prosecutors have launched a civil public lawsuit against WeChat, accusing the company of not complying with laws focused on protecting minors, while the Cyberspace Administration of China passed a special action last month banning people under the age of 16 from appearing in content within online live-streaming and video platforms. Beyond online child protection, the Chinese government has pushed through new personal data protection laws, punished 43 apps for illegally transferring user data, and ordered local food delivery platforms to provide riders with minimum wages. It has also removed Didi from Chinese app stores and placed it under cybersecurity review, slapped Alibaba with a record 18.2 billion yuan fine, and put Tencent on notice for collecting more user data than deemed necessary when offering services.Related Coverage More

Data from Japanese tech giant Fujitsu is being sold on the dark web by a group called Marketo, but the company said the information “appears related to customers” and not their own systems.On August 26, Marketo wrote on its leak site that it had 4 GB of stolen data and was selling it. They provided samples of the data and claimed they had confidential customer information, company data, budget data, reports and other company documents including information on projects.Initially, the group’s leak site said it had 280 bids on the data but now, the leak site shows 70 bids for the data, including one bid today. A screenshot of the leak site.
Etay Maor
A Fujitsu spokesperson downplayed the incident and told ZDNet that there was no indication it was connected to a situation in May when hackers stole data from Japanese government entities through Fujitsu’s ProjectWEB platform.”We are aware that information has been uploaded to dark web auction site ‘Marketo’ that purports to have been obtained from our site. Details of the source of this information, including whether it comes from our systems or environment, are unknown,” a Fujitsu spokesperson told ZDNet.  “Because this includes information that appears related to customers, we will refrain from commenting on the details. I assume that you may recall the last event of Project WEB on May, but there is no indication that this includes information leaked from ProjectWEB, and we believe that this matter is unrelated.”Cybersecurity experts like Cato Networks senior director of security strategy Etay Maor questioned the number of bids on the data, noting that the Marketo group controls the website and could easily change the number as a way to put pressure on buyers.

But Ivan Righi, cyber threat intelligence analyst with Digital Shadows, said Marketo is known to be a reputable source.Righi said the legitimacy of the data stolen cannot be confirmed but noted that previous data leakages by the group have been proven to be genuine. “Therefore, it is likely that the data exposed on their website is legitimate. At the time of writing, Marketo has only exposed a 24.5 MB ‘evidence package,’ which contained some data relating to another Japanese company called Toray Industries. The group also provided three screenshots of spreadsheets allegedly stolen in the attack,” Righi said. He explained that while Marketo is not a ransomware group, it operates similar to ransomware threat actors. “The group infiltrates companies, steals their data, and then threatens to expose that data if a ransom payment is not made. If a company does not respond to the threat actor’s ransom demand, they are eventually posted on the Marketo data leak site,” Righi told ZDNet. “Once a company is posted on the Marketo site, an evidence package is usually provided with some data stolen from the attack. The group will then continue to threaten the companies and expose data periodically, if the ransom is not paid. While the group does have an auction section on their website, not all victims are available in this section, and Fujitsu has not been put up for auction publicly at the time of writing. It is unknown where the 70 bids purportedly came from, but it is possible that these bids may originate from closed auctions.”Digital Shadows wrote a report about the group in July, noting that it was created in April 2021 and often markets its stolen data through a Twitter profile by the name of @Mannus Gott.The account has taunted Fujitsu in recent days, writing on Sunday, “Oh, the sweet, sweet irony. One of the largest IT services provider couldn’t find themselves an adequate protection.”The gang has repeatedly claimed it is not a ransomware group and instead an “informational marketplace.” They contacted multiple news outlets in May to tout their work. “The marketplace itself operates in a similar fashion to other data leak sites with some unique features. Interestingly the group includes an ‘Attacking’ section naming organizations that are in the progress of being attacked. The marketplace allows for user registration and provides a contact section for victim and press inquiries,” Digital Shadows Photon Research Team wrote.”Victims are provided a link to a separate chat to conduct negotiations. Within the individual posts, Marketo provides a summary of the organization, screenshots of seemingly compromised data, and a link to an “evidence pack” otherwise known as a proof. They auction sensitive data in the form of a silent auction through a blind bidding system where users make bids based on what they think the data is worth.” 
Digital Shadows
In the past, the group has gone so far as to send samples of stolen data to a company’s competitors, clients and partners as a way to shame victims into paying for their data back. The group has listed dozens of companies on their leak site, including Puma recently, and generally leaks one each week, mostly selling data from organizations in the US and Europe. At least seven industrial goods and services companies have been hit alongside organizations in the healthcare and technology sectors.  More

Researchers with vpnMentor have uncovered a data breach involving the COVID-19 test and trace app created by the Indonesian government for those traveling into the country. The ‘test and trace app’ — named electronic Health Alert Card or eHAC — was created in 2021 by the Indonesian Ministry of Health but the vpnMentor team, lead by Noam Rotem and Ran Locar, said it did not have the proper data privacy protocols and exposed the sensitive data of more than one million people through an open server. The app was built to hold the test results of those traveling into the country to make sure they were not carrying COVID-19 and is a mandatory requirement for anyone flying into Indonesia from another country. Both foreigners and Indonesian citizens must download the app, even those traveling domestically within the country. The eHAC app keeps track of a person’s health status, personal information, contact information, COVID-19 test results and other data.

Rotem and Locar said their team discovered the exposed database “as part of a broader effort to reduce the number of data leaks from websites and apps around the world.” “Our team discovered eHAC’s records with zero obstacles, due to the lack of protocols in place by the app’s developers. Once they investigated the database and confirmed the records were authentic, we contacted the Indonesian Ministry of Health and presented our findings,” the vpnMentor research team said. “After a couple of days with no reply from the ministry, we contacted Indonesia’s Computer Emergency Response Team agency and, eventually, Google — eHAC’s hosting provider. By early August, we had not received a reply from any of the concerned parties. We tried to reach out to additional governmental agencies, one of them being the BSSN (Badan Siber dan Sandi Negara), which was established to carry out activities in the field of cyber security. We contacted them on August 22nd and they replied on the same day. Two days later, on August 24, the server was taken down.” 

The Indonesian Ministry of Health and Foreign Ministry did not respond to requests for comment from ZDNet. In their report, the researchers explain that the people who created eHAC used an “unsecured Elasticsearch database to store over 1.4 million records from approximately 1.3 million eHAC users.”On top of the leak of sensitive user data, the researchers found that all of the infrastructure around eHAC was exposed, including private information about local Indonesian hospitals as well as government officials who used the app. The data involved in the leak includes user IDs — which ranged from passports to national Indonesian ID numbers — as well as COVID-19 test results and data, hospital IDs, addresses, phone numbers, URN ID number and URN hospital ID number. For Indonesians, their full names, numbers, dates of birth, citizenship, jobs and photos were included in the leaked data. 

The researchers also found data from 226 hospitals and clinics across Indonesia as well as the name of the person responsible for testing each traveller, the doctors who ran the test, information about how many tests were done each day and data on what kinds of travelers were allowed at the hospital. The leaked database even had personal information for a traveler’s parents or next of kin as well as their hotel details and other information about when the eHAC account was created. Even eHAC staff members had their names, ID numbers, account names, email addresses and passwords leaked. “Had the data been discovered by malicious or criminal hackers, and allowed to accumulate data on more people, the effects could have been devastating on an individual and societal level,” the researchers said. “The massive amount of data collected and exposed for each individual using eHAC left them incredibly vulnerable to a wide range of attacks and scams. With access to a person’s passport information, date of birth, travel history, and more, hackers could target them in complex (and simple) schemes to steal their identity, track them down, scam them in person, and defraud them of thousands of dollars. Furthermore, if this data wasn’t sufficient, hackers could use it to target a victim in phishing campaigns over email, text, or phone calls.” 

The vpnMentor research team uses “large-scale web scanners” as a way to search for unsecured data stores containing information that shouldn’t be exposed.”Our team was able to access this database because it was completely unsecured and unencrypted. eHAC was using an Elasticsearch database, which is ordinarily not designed for URL use,” the researchers added. “However, we were able to access it via browser and manipulate the URL search criteria into exposing schemata from a single index at any time. Whenever we find a data breach, we use expert techniques to verify the owner of the database, usually a commercial business.” The report notes that with all of the data, it would be easy for hackers to pose as health officials and conduct any number of scams on any of the 1.3 million people whose information was leaked. Hackers could have also changed data in the eHAC platform, potentially hampering the country’s COVID-19 response. The researchers noted that they were wary of testing any of these potential attacks out of fear of disrupting the country’s efforts to contain COVID-19, which may already be damaged by the government’s haphazard management of the database.The vpnMentor team added that if there was a hack or ransomware attack involving the database, it could have led to the kind of distrust, misinformation and conspiracy theories that have gained a foothold in dozens of countries. “If the Indonesian people learned the government had exposed over 1 million people to attack and fraud via an app built to combat the virus, they may be reluctant to engage in broader efforts to contain it — including vaccine drives,” the researchers said. “Bad actors would undoubtedly exploit the leak for their gain, jumping on any frustration, fear, or confusion, creating mistruths and exaggerating the leak’s impact beyond all reasonable proportion. All of these outcomes could significantly slow down Indonesia’s fight against Coronavirus (and misinformation in general) while forcing them to use considerable time and resources to fix their own mess. The result is further pain, suffering, and potential loss of life for the people of Indonesia.”The researchers said the designers of the eHAC system needed to secure the servers, implement proper access rules and made sure to never leave the system, which did not require authentication, open to the internet. They urged those who may think their information was affected to contact the Indonesian Ministry of Health directly to figure out what next steps may need to be taken. eHAC is far from the only COVID-19 related app to face similar problems. Since the beginning of the pandemic, the emergence of contact tracing apps has caused worry among researchers who have repeatedly shown how faulty these tools can be. Just last week, Microsoft faced significant backlash after their Power Apps were found to have exposed 38 million records online, including contact tracing records. In May, the personal health information belonging to tens of thousands of Pennsylvanians was exposed following a data breach at a Department of Health vendor. The Department of Health accused a vendor of exposing the data of 72,000 people by willfully disregarding security protocols.  More

Bangkok Airways has apologized for a data breach involving passport information and other personal data in a statement to customers. The company said that it discovered a “cybersecurity attack which resulted in unauthorized and unlawful access to its information system” on August 23. 

ZDNet Recommends

Also: T-Mobile hack: Everything you need to knowThe statement said the company is “deeply sorry for the worry and inconvenience that this malicious incident has caused.”Bangkok Airways did not respond to requests for comment from ZDNet about how many customers were involved in the breach or what timeframe the data came from, but in its statement the company said an investigation revealed that the names, nationalities, genders, phone numbers, emails, addresses, contact information, passport information, historical travel information, partial credit card information and special meal information for passengers of the airline had been accessed. The company said it is still conducting an investigation into the attack and is working on strengthening its IT system as it identifies potential victims. The attackers were not able to affect Bangkok Airways’ operational or aeronautical security systems, according to the statement, and the Royal Thai police have been notified of the incident.

“For primary prevention measures, the company highly recommends passengers to contact their bank or credit card provider and follow their advice and change any compromised passwords as soon as possible,” the company said. “In addition to that, the company would like to caution passengers to be aware of any suspicious or unsolicited calls and/or emails, as the attacker may be claiming to be Bangkok Airways and attempt to gather personal data by deception (known as ‘phishing’).” They urged customers to contact the police or take legal action if they get any notices purporting to be from Bangkok Airways asking for credit card details or other information. The announcement, which was released on Friday, coincided with a notice from the LockBit ransomware group that said it was planning to release 103 GB of compressed files that it claimed was stolen from Bangkok Airways. A screenshot of the LockBit ransomware data leak site. 
DarkTracer
The group said it would release the data on August 30, but in the past they have extended deadlines or reneged on threats to release data. LockBit operators faced criticism weeks ago when they threatened to leak data that they said was stolen from billion-dollar tech services company Accenture. They repeatedly pushed back the deadline before Accenture came forward to dismiss claims that any significant data was taken. The Australian Cyber Security Centre released an advisory in early August noting that the LockBit ransomware group had relaunched after a brief dip in activity and has ramped up attacks. Members of the group are actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products identified as CVE-2018-13379 in order to gain initial access to specific victim networks, the advisory said. “The ACSC is aware of numerous incidents involving LockBit and its successor ‘LockBit 2.0′ in Australia since 2020. The majority of victims known to the ACSC have been reported after July 2021, indicating a sharp and significant increase in domestic victims in comparison to other tracked ransomware variants,” the release added. “The ACSC has observed LockBit affiliates successfully deploying ransomware on corporate systems in a variety of sectors including professional services, construction, manufacturing, retail and food.” In June, the Prodaft Threat Intelligence team published a report examining LockBit’s RaaS structure and its affiliates’ proclivity toward buying Remote Desktop Protocol access to servers as an initial attack vector. “Commercial and professional services as well as the transportation sector are also highly targeted by the LockBit group,” Prodaft said.Those who believe they may have been affected by the attack are urged to contact [email protected] for more information. More

Singapore has underscored the need for 5G networks to to remain secured and resilient, as well as for use cases to be developed and tested so the ecosystem can thrive. Its calls come as local telco Singtel announces new customer trials running on its standalone 5G network, including in logistics and manufacturing.   Designed fundamentally different from previous generations, which were primarily based on hardware, 5G systems were software-driven. This architectural change could create new potential security vulnerabilities, according to Singapore’s Minister for Communications and Information Josephine Teo. 

“As we expand the adoption of 5G, we must be mindful of the potential for new cyber risks,” Teo said Monday in a speech broadcast during Singtel’s virtual event, which featured new trials the telco was running on its 5G standalone network. “Digital infrastructure must be secure. Consumers and businesses must have confidence that our 5G networks are resilient,” she said. “It is important to uphold Singapore’s reputation as a trusted player, here and abroad.”She noted that Infocomm Media Development Authority (IMDA) had stressed the importance of “security and resilience” as regulatory priorities. The industry regulator last year announced a 5G security testbed initiative, in which IMDA worked alongside telcos to boost their security posture and capabilities, Teo said. She added that local telcos had “committed to adopt” a zero-trust security posture, which meant they would have to verify all activities before these were trusted. Carriers also would have to implement constant monitoring and be vigilant for suspicious activities, the minister said. She suggested telcos could further tap global market opportunities if they were able to differentiate their services in the 5G cybersecurity segment. 

In particular, they would need to play their role in driving the local ecosystem and adoption of 5G, she said. “Imagine an appstore with no apps for us to download. Likewise, 5G infrastructure itself cannot deliver magic without actual use cases being developed, tested, and scaled up,” Teo said. Singtel Group CEO Yuen Kuan Moon pointed to 5G’s potential to “transform” business models and drive the development of new products and services, including stimulating new growth to “reinvigorate” the Singapore telco’s own core business.  Yuen said the combination of Internet of Things (IoT) and artificial intelligence (AI) would provide for more intelligent connectivity, delivering new value proposition for organisations and consumers. For enterprises, in particular, he touted Singtel’s MEC (Multi-access Edge Computing) platform as the vehicle to develop new applications such as smart city planning and 5G-powered e-racing. Singtel today announced it was working with virtual car racing operator, Formula Square, to test 5G-powered experience of racing remote-controlled cars at Sentosa. Use cases that tap key 5G benefitsAsked if the telco was focusing on key verticals in running 5G pilots, Singtel’s vice president for 5G enterprise and cloud Dennis Wong said potential use cases cut across multiple sectors including manufacturing, logistics, financial services, and retail. Some functionalities and applications saw quicker adoption than others, such as drones and autonomous vehicles, where regulatory issues still were evolving and the ecosystems were less matured. These would require more time before 5G adoption would pick up, Wong said in an interview with ZDNet. Some applications such as video analytics were seeing high interest as these were easily realised and had different uses cases that could be deployed across multiple verticals, he noted. The technology, for instance, could be used in manufacturing to identify defects or in transport for security. Video streaming also could be used in the medical field. In exploring potential use cases, he said the key benefits of 5G were its ability to deliver low latency, high data speeds, and enhanced security. These then would help organisations willing to adopt the technology to identify applications they could develop and work with Singtel and its partners to do so.  Asked how many trials Singtel currently was running with its enterprise customers, Wong said the number was in “multiple tens”. He added that several others were rejected for various reasons, including a lack of value proposition and an immature ecosystem. He said the telco’s “5G network in a box” service, called Genie, also was seeing high interest, with enterprise customers requesting to extend their loan period beyond the standard two weeks. While asked, he declined to say how many of these boxes currently were in circulation. Launched in April, Genie was touted to provide a 5G network environment anywhere that had an available power source, enabling enterprises to deploy and test their applications. Tucked inside a suitcase-sized container, Genie comprised a 5G network control kit as well as a standing mount with 5G radio antenna. The box was built to work with the telco’s MEC infrastructure, which was heavily pitched today as the platform on which applications were optimised for 5G’s key features, including low latency, high bandwidth, and real-time compute capabilities at the edge, such as data analytics and AI processing. Singtel in recent months also inked  partners including Microsoft and Amazon Web Services (AWS), so enterprise customers of these hyperscalers could run their applications on the telco’s MEC and 5G infrastructures, Wong said. Yuen added that 5G and AI, along with data analytics, would be key drivers in Singapore’s digital economy post-pandemic, especially as COVID-19 had accelerated digital transformation across all industries. Powered by 5G, the ability to collect and analyse data in large volumes and in real-time would further speed up the adoption of AI and transform businesses, he said. He added that this would play out over the next one to two years as the industry began to embrace digitalisation and tap AI and 5G as the foundation of their digital transformation. According to Teo, Singapore was on track to have nationwide outdoor coverage on 5G standalone networks by 2025, with half of the island to have coverage by end-2022. Singtel’s Singapore CEO for consumer Anna Yip said the telco currently had more than 180,000 5G subscribers. RELATED COVERAGE More

StackCommerce
It’s really appalling how much of our data we give away freely to businesses that we deal with since it leaves us so vulnerable should their security be breached. Because, unfortunately, that happens far too frequently these days. It’s now imperative that we take the strongest possible measures to protect ourselves on both computers and mobile devices. Thankfully, a very affordable KeepSolid VPN Lifetime subscription will help free us from worry on up to 5 devices and you can currently get a $30 store credit if you buy one.

KeepSolid VPN not only protects you with its military-grade AES 256-bit encryption on macOS, Windows, Android and iOS devices, it even includes a kill switch and an extremely strict policy of zero-logging in order to protect your privacy. Best of all, you get all of that protection without sacrificing any of your connection speed and absolutely no limits on either your bandwidth or your speed.That means you can work or stream without any buffering. And since KeepSolid VPN has more than 400 servers around the globe, you can enjoy content anywhere you like without having to worry about geo-restrictions while accessing Netflix, BBC iPlayer, Hulu, ESPN+, HBO, and much more. You could even train for an exciting new career while traveling for business or pleasure.KeepSolid VPN offers 24/7 customer service, but it’s so user-friendly, you may never need it. You also get the added convenience of features such as Trusted Networks, Ping Tests, Favorite Servers, and more. It’s no wonder that more than 10,000,000 worldwide users trust the protection of KeepSolid VPN.A VPN Special review sums up the benefits perfectly:”KeepSolid VPN Unlimited offers amazing services and its advanced features make it a solid VPN service provider.”Don’t pass up this chance to get a lifetime of powerful protection to keep you safe online anywhere in the world. Get KeepSolid VPN Lifetime with 5 Devices + $30 Store Credit today while it’s available for only $39.99, an 80% discount off the usual $199 price.

ZDNet Recommends More

T-Mobile, one of the biggest telecommunications companies in the US, was hacked nearly two weeks ago, exposing the sensitive information of more than 50 million current, former and prospective customers.Names, addresses, social security numbers, driver’s licenses and ID information for about 48 million people were accessed in the hack, which initially came to light on August 16. Here’s everything we know so far. What is T-Mobile?T-Mobile is a subsidiary of German telecommunications company Deutsche Telekom AG providing wireless voice, messaging and data services to customers in dozens of countries. In the US, the company has more than 104 million customers and became the second largest telecommunications company behind Verizon after its $26 billion merger with Sprint in 2018. How many people are affected by the hack?T-Mobile released a statement last week confirming that the names, dates of birth, social security numbers, driver’s licenses, phone numbers, as well as IMEI and IMSI information for about 7.8 million customers had been stolen in the breach.Another 40 million former or prospective customers had their names, dates of birth, social security numbers and driver’s licenses leaked. 

More than 5 million “current postpaid customer accounts” also had information like names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. T-Mobile said another 667,000 accounts of former T- Mobile customers had their information stolen alongside a group of 850,000 active T-Mobile prepaid customers, whose names, phone numbers and account PINs were exposed. The names of 52,000 people with Metro by T-Mobile accounts may also have been accessed, according to T-Mobile. Who attacked T-Mobile?A 21-year-old US citizen by the name of John Binns told The Wall Street Journal and Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock, that he is the main culprit behind the attack. His father, who died when he was two, was American and his mother is Turkish. He and his mother moved back to Turkey when Binns was 18.How did the attack happen?Binns, who was born in the US but now lives in Izmir, Turkey, said he conducted the attack from his home. Through Telegram, Binns provided evidence to the Wall Street Journal proving he was behind the T-Mobile attack and told reporters that he originally gained access to T-Mobile’s network through an unprotected router in July. According to the Wall Street Journal, he had been searching for gaps in T-Mobile’s defenses through its internet addresses and gained access to a data center near East Wenatchee, Washington where he could explore more than 100 of the company’s servers. From there, it took about one week to gain access to the servers that contained the personal data of millions. By August 4 he had stolen millions of files. “I was panicking because I had access to something big. Their security is awful,” Binns told the Wall Street Journal. “Generating noise was one goal.”Binns also spoke with Motherboard and Bleeping Computer to explain some dynamics of the attack. He told Bleeping Computer that he gained access to T-Mobile’s systems through “production, staging, and development servers two weeks ago.” He hacked into an Oracle database server that had customer data inside.To prove it was real, Binns shared a screenshot of his SSH connection to a production server running Oracle with reporters from Bleeping Computer. They did not try to ransom T-Mobile because they already had buyers online, according to their interview with the news outlet.In his interview with Motherboard, he said he had stolen the data from T-Mobile servers and that T-Mobile managed to eventually kick him out of the breached servers, but not before copies of the data had already been made. On an underground forum, Binns and others were found selling a sample of the data with 30 million social security numbers and driver licenses for 6 Bitcoin, according to Motherboard and Bleeping Computer. T-Mobile CEO Mike Sievert explained that the hacker behind the attack “leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.” “In short, this individual’s intent was to break in and steal data, and they succeeded,” Sievert said.Binns claimed he stole 106GB of data but it is unclear whether that is true. Why did Binns do it?The 21-year-old Virginia native told the Wall Street Journal and other outlets that he has been targeted by US law enforcement agencies for his alleged involvement in the Satori botnet conspiracy. He claims US agencies abducted him in Germany and Turkey and tortured him. Binns filed a lawsuit in a district court against the FBI, CIA and Justice Department in November where he said he was being investigated for various cybercrimes and for allegedly being part of the Islamic State militant group, a charge he denies.”I have no reason to make up a fake kidnapping story and I’m hoping that someone within the FBI leaks information about that,” he explained in his messages to the Wall Street Journal.The lawsuit includes a variety of claims by Binns that the CIA broke into his homes and wiretapped his computers as part of a larger investigation into his alleged cybercrimes. He filed the suit in a Washington DC District Court. Before he was officially identified, Binns sent Gal a message that was shared on Twitter. “The breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019. We did it to harm US infrastructure,” the message said, according to Gal.Was Binns alone in conducting the attack?He would not confirm if the data he stole has already been sold or if someone else paid him to hack into T-Mobile in his interview with The Wall Street Journal. While Binns did not explicitly say he worked with others on the attack, he did admit that he needed help in acquiring login credentials for databases inside T-Mobile’s systems.Some news outlets have reported that Binns was not the only person selling the stolen T-Mobile data. When did T-Mobile discover the attack?The Wall Street Journal story noted that T-Mobile was initially notified of the breach by a cybersecurity company called Unit221B LLC, which said their customer data was being marketed on the dark web. T-Mobile told ZDNet on August 16 that it was investigating the initial claims that customer data was being sold on the dark web and eventually released a lengthy statement explaining that while the hack did not involve all 100 million of their customers, at least half had their information involved in the hack.   Is law enforcement involved?T-Mobile CEO Mike Sievert said on August 27 that he could not share more information about the technical details of the attack because they are “actively coordinating with law enforcement on a criminal investigation.” It is unclear what agencies are working on the case and T-Mobile did not respond to questions about this. What is T-Mobile doing about the hack?Sievert explained that the company hired Mandiant to conduct an investigation into the incident.”As of today, we have notified just about every current T-Mobile customer or primary account holder who had data such as name and current address, social security number, or government ID number compromised,” he said in a statement  T-Mobile will also put a banner on the MyT-Mobile.com account login page of others letting them know if they were not affected by the attack. Sievert admitted that the company is still in the process of notifying former and prospective customers, millions of whom also had their information stolen. In addition to offering just two years of free identity protection services with McAfee’s ID Theft Protection Service, T-Mobile said it was recommending customers sign up for “T-Mobile’s free scam-blocking protection through Scam Shield.”The company will also be offering “Account Takeover Protection” to postpaid customers, which they said will make it more difficult for customer accounts to be fraudulently ported out and stolen. They urged customers to reset all passwords and PIN numbers as well. Sievert also announced that T-Mobile had signed “long-term partnerships” with Mandiant and KPMG LLG to beef up their cybersecurity and give the telecommunications giant the “firepower” needed to improve their ability to protect customers from cybercriminals. “As I previously mentioned, Mandiant has been part of our forensic investigation since the start of the incident, and we are now expanding our relationship to draw on the expertise they’ve gained from the front lines of large-scale data breaches and use their scalable security solutions to become more resilient to future cyber threats,” Sievert added. “They will support us as we develop an immediate and longer-term strategic plan to mitigate and stabilize cybersecurity risks across our enterprise. Simultaneously, we are partnering with consulting firm KPMG, a recognized global leader in cybersecurity consulting. KPMG’s cybersecurity team will bring its deep expertise and interdisciplinary approach to perform a thorough review of all T-Mobile security policies and performance measurement. They will focus on controls to identify gaps and areas of improvement.” Both Mandiant and KPMG will work together to sketch out a plan for T-Mobile to address its cybersecurity gaps in the future. Has this happened to T-Mobile before?No attack of this size has hit T-Mobile before, but the company has been attacked multiple times. Before the attack two weeks ago, the company had announced four data breaches in the last three years. The company disclosed a breach in January after incidents in August 2018, November 2019, and March 2020.The investigation into the January incident found that hackers accessed around 200,000 customer details such as phone numbers, the number of lines subscribed to an account, and, in some cases, call-related information, which T-Mobile said it collected as part of the normal operation of its wireless service.The previous breaches included a March 2020 incident where T-Mobile said hackers gained access to both its employees’ and customers’ data, including employee email accounts, a November 2019 incident where T-Mobile said it “discovered and shut down” unauthorized access to the personal data of its customers, and an August 2018 incident where T-Mobile said hackers gained access to the personal details of 2 million of its customers.Before it merged with T-Mobile in 2020, Sprint also disclosed two security breaches in 2019 as well, one in May and a second in July.What happens now?Binns has not said if he has sold the data he stole, but he told Bleeping Computer that there were already multiple prospective buyers.  More