Image: Megan Robinson/Axios
A recent data breach involving millions of AT&T customers has drawn renewed attention to the sources of flaws in the security programs of major telecom operators.
Why It Matters: Telcos collect a wealth of data about their customers, including financial, demographic, and other sensitive information. This data can later be misused to steal someone’s identity or break into their other online accounts.
Drivers of the News: AT&T last week began notifying 9 million wireless customers that their customer data was accessed during a third-party marketing breach.
A report by cyber intelligence firm Cyble last month estimates that by 2023 more than 74 million US telecom customers will have had their data leaked on the dark web. Each of the attacks in the report related to third-party security breaches.
The big picture: The telecom sector is uniquely vulnerable to cyberattacks as the industry constantly pressures new entrants to help them expand their businesses, Darktrace Federal CEO Marcus Fowler told Axios.
Most major telcos and wireless carriers sell customers’ mobile data to advertisers and onboard potential new vendors who can access their security systems and create vulnerabilities. But these additional third-party vendors pose a growing security risk because it makes it difficult for companies to fully validate a new contractor’s security stack before signing a contract, Michael Sikorski, chief technology officer at Palo Alto Networks’ Unit 42 research lab, told Axios Directly Against them,” Sikorski said. “They tend to have pretty big security budgets, but when you consider how much outsourcing these companies do, it’s significant.”
Catch up fast: AT&T isn’t the only household name to be impacted by a recent data breach.
Between the lines: Data breaches have become so common that consumers now seem deaf to the headlines, Mauricio Sanchez, head of research at telecoms market research firm Dell’Oro Group, told Axios.
This deafness leaves some companies unmotivated to invest more in their security and leaves consumers vulnerable to security breaches, he said.
The intrigue: Nation-state hacking groups and financially motivated cybercriminals are interested in breaking into telecommunications, Sikorski said.
The most popular attack types go beyond the flashy data breaches that grab the headlines: malicious actors can also use the information they access to initiate what are known as SIM swap attacks, where a hacker can remotely take over a phone number attacks can then lead to malicious hackers stealing multi-factor authentication codes, giving them access to people’s most secure accounts.
Yes, but: Some experts argue that it is no longer sufficient to let the telecommunications industry improve its own security posture.
Creating regulations for necessary basic cybersecurity measures for the telecoms sector and its providers could go a long way in ensuring that all businesses prioritize their security, Fowler said so weakly that they can dismiss these things in the regulatory environment because they weren’t, it wasn’t their systems,” Sanchez said.
What’s Next: The Federal Communications Commission is working to update its privacy breach notification rules for telecom and wireless carriers.
Cellular carriers will soon begin implementing new FCC rules, finalized Thursday, requiring them to block text messages originating from “invalid, unassigned, or unused numbers.”
Sign up for Axios’ Codebook cybersecurity newsletter here