Wave of telecom data breaches highlight industry's weaknesses

A recent data breach involving millions of AT&T customers is bringing renewed attention to the fault lines in major telecommunications providers' security programs.

Why it matters: Telecom companies collect a wealth of data about their customers, including financial, demographic and other sensitive information. That data can later be abused to steal someone's identity or break into their other online accounts.

Driving the news: AT&T started notifying 9 million wireless customers last week that their customer information was accessed during a breach on a third-party marketing vendor.

• A report from cyber intelligence firm Cyble last month estimates that more than 74 million U.S. telecom customers have already had their data leaked on the dark web so far in 2023. Each of the attacks in the report involved breaches at third-party vendors.

The big picture: The telecom sector is uniquely vulnerable to cyberattacks given the constant industry pressure to bring in new vendors to help them expand their business lines, Marcus Fowler, CEO of Darktrace Federal, told Axios.

• Most major telecom and wireless providers sell customers' mobile data to advertisers, roping in a potential set of new vendors who can access and create weak spots in their security systems.
• But those added third-party vendors create a mounting security risk since it's difficult for companies to completely vet a new contractor's security stack before they sign a contract, Michael Sikorski, chief technology officer at Palo Alto Networks' Unit 42 research lab, told Axios.
• "We're definitely seeing a huge uptick in telecom attacks now, not necessarily directly against them," Sikorski said. "They tend to have pretty large security budgets, but if you think about how much outsourcing those entities are doing, it's significant."

Catch up quick: AT&T isn't the only household name reeling from a recent data breach.

• T-Mobile said earlier this year that it suffered a data breach in November that impacted 37 million current customers. That announcement came after other publicly reported breaches at T-Mobile in 2021, 2020, 2019 and 2018.

Between the lines: Data breaches have become so frequent that consumers are now seemingly numb to the headlines, Mauricio Sanchez, research director at telecom market research firm Dell'Oro Group, told Axios.

• That numbness leaves some companies unmotivated to invest more in their security, leaving consumers vulnerable to breaches, he said.

The intrigue: Nation-state hacking groups and financially motivated cybercriminals are interested in breaking into telecoms, Sikorski said.

• The most popular attack types go beyond the high-profile data breaches making headlines: Malicious actors can also use the information they access to initiate so-called SIM-swapping attacks, where a hacker can take over a phone number remotely.
• Those SIM-swapping attacks can then lead to malicious hackers stealing multifactor authentication codes, giving them access to people's most secured accounts.

Yes, but: Some experts argue that leaving it up to the telecom industry to improve their own security postures isn't enough anymore.

• Creating regulations for required baseline cybersecurity measures for the telecom sector and its vendors could go a long way to ensuring all companies are prioritizing their security, Fowler said.
• "This is not a situation where carrots are going to work, and the stick here is pretty weak in so far that, in the regulatory environment, they can shrug these things off because it wasn’t them, it wasn't their systems," Sanchez said.

What's next: The Federal Communications Commission is working on an update to its data breach notification rules for telecom and wireless carriers.

• Mobile carriers will soon start implementing new FCC rules finalized Thursday requiring them to block text messages that come from "invalid, unallocated or unused numbers."

Sign up for Axios’ cybersecurity newsletter Codebook here