Reimagining Cyber - real world perspectives on cybersecurity
Explore the critical intersection of cybersecurity and business impact while gaining insights into CISO priorities with "Reimagining Cyber." Stay informed on the latest cybersecurity news, trends, and solutions tailored for today's CISOs and CIOs. Hosted by Rob Aragao a seasoned security strategist with CyberRes, this podcast is your go-to resource for staying updated on cybersecurity developments and addressing common challenges in the rapidly evolving digital landscape.
Reimagining Cyber - real world perspectives on cybersecurity
Telecom Data Risks: Government's Role in the Fight - Ep 106
The latest episode of Reimagining Cyber dives into the recent major data breaches that have rocked the telecom sector, focusing on the latest AT&T incident.
It begins by reflecting on the historical context of cyberattacks in telecom, noting T-Mobile’s previous breach involving 85 million records and a hefty $500 million settlement.
Host of the show Rob Aragoa details the chronology of AT&T's breaches, starting with a lesser-known incident from 2021, where the hacker “ShinyHunters” initially infiltrated AT&T's systems.
Despite early warnings, AT&T dismissed the threat, leading to a subsequent data dump on the dark web in early 2023, exposing over 73 million records. Fast forward to the latest breach disclosed last week, impacting a staggering 110 million customers, with call and text message records from May to October 2022 being compromised.
Rob explains the intricate balance between national security concerns and public transparency, highlighting the role of the Department of Justice in delaying the breach announcement.
The discussion then shifts to the broader implications and accountability within the telecom industry. Rob references the FCC's recent update to their data breach notification rules, which were 16 years old, underscoring the urgent need for regulatory improvements.
Rob concludes by examining the steps AT&T and its cloud data provider, Snowflake, are taking to prevent future breaches, such as implementing mandatory multi-factor authentication. They stress the importance of basic cybersecurity hygiene and the necessity for ongoing vigilance in protecting sensitive customer data.
This episode offers a comprehensive look at the complexities and challenges in securing the telecom sector, leaving listeners with critical insights into how these breaches occur and the measures needed to prevent them. Tune in for an engaging and informative discussion on one of the most pressing issues in cybersecurity today.
Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com
[00:00:00] Rob Aragao: Well, welcome back to another episode of reimagining cyber today. I am bringing on our producer, Ben. Many of you have heard Ben's voice in, um, you know, our closing or outros. And, uh, and many of you have also asked for him to be pulled into the show. When I say many, I'm talking about Ben's immediate family specifically.
[00:00:19] But anyhow, I want to pull Ben in for our today's conversation. And we're going to Cover off a few topics. Um, really the first one is for Ben to give me his wholehearted feelings on what happened over the weekend. Looking into that in a second, Ben pulled off. The second is around phone a friend what's happening in the telecom sector.
[00:00:39] And we'll close that out with a little bit of the forecast, which unfortunately calls for a bit of snow, Ben kind of conversation goes amongst us. Right. So let's start off, Ben. With the Euro 2024 and what happened with England? I call the triple header at the end of the game where there was strong opportunity and then a crazy set of saves that happened.
[00:01:00] But you got to tell me,
[00:01:01] Producer Ben: yeah, I will. I will take a deep breath before I get into this. And for my American friends over the pond, I will give you a little bit of context. We're talking about the greatest game in the world. Of course, the one you call soccer. We call it football. I, I, I'm not gonna, I'm not gonna split hairs over that.
[00:01:17] I really don't mind. But, uh, England were in the final of a competition called the Euros. Um, I'm sure you all know this, but I'll, I'll patronize you a little bit. That's where all various countries throughout Europe, Europe only, you know, play, play against each other in finals of this big tournament once every four years.
[00:01:35] And England, who have a proud record of hardly ever getting to the latter stages of any significant International tournament actually got to the final. It was their second final in a row in this competition which tends to cause unbridled amount of enthusiasm Within the nation. We were up against Spain who were a terrific team and to be honest We didn't go into the final with a huge amount of hope But there is a little bit of hope and it is that hope that kills you and that ultimately is what happened to England because they went down by two goals to one.
[00:02:12] And the triple header of which you were talking about there, Rob was right at the end of the game, about 89 minutes on the clock and a last gas chance to take it into extra time. One header saved the second header off. That save knocked off the line, a third header. over the bar and the whole of the nation held its head in its hands and you could hear the cries of joy coming from Scotland, Wales and Ireland as they realized they wouldn't have the English ramming this victory down their throats for the next probably 60, 70, 80 years.
[00:02:51] Uh, but the rest of us, you know, uh, a tear in our eyes. Fell into my cup of tea last, last night.
[00:02:58] Rob Aragao: So that glimmer of hope was there till the 89th minute. It was,
[00:03:02] Producer Ben: yeah, but you know, it was dashed, but it, we weren't crushed too much because I don't think a huge amount of us realistically thought we were going to win.
[00:03:10] We might snatch a, you know, a lucky victory, but we'd stunk the place out in the whole tournament. So, and Spain have been the best team there. So we can't say we didn't deserve to lose.
[00:03:22] Rob Aragao: There you go. Well, I watched, I enjoyed, um, I spoke to you and others and many were like, yeah, but it's, it's Spain. So that glimmer of hope, you know, you never know, right?
[00:03:32] What happens in these games. And there was an opportunity at the end, but listen onto the world cup, my friend. So let's see what happens there in a couple of years.
[00:03:39] Producer Ben: Thanks for bringing it up on my first appearance. Bless you.
[00:03:43] Rob Aragao: All right. Let's go into cyber security conversations, Ben and big news, big news this past week on the telecom sector.
[00:03:53] All right. And I'm going to talk about AT& T, of course, but you have to kind of look back and the telecom sector has been just hit with major breaches over time. You know, T Mobile was the one up until this recent breach, uh, that had the, uh, unfortunate, uh, Standing a first place, if you will, with number of records that were stolen, it was 85 million for them.
[00:04:18] And that was back in the timeframe of the 2020 2021 era, if you will, of all this different data getting impacted, and they ended up settling for over 500 million dollars on that breach. Now, this past spring. AT& T disclosed a breach of 73 plus million records. So I'm not talking about what just happened in the disclosure from last week.
[00:04:44] I'm talking about what happened back in the March time frame or so, separate breach. And what was interesting about that is that breach actually occurred back in 2021. And the, the, Hacker, who goes by the name of ShinyHunters, actually reached out to AT& T back in 2021 when they had accessed data and said, I've gotten into your environment and I have some sampling of information to prove I'm in your environment and have this type of data in my hands.
[00:05:19] Let's have a conversation. Let's have a negotiation. They were looking to get something out of it. But they weren't really pressing heavily, Ben, at the time, as it related to, you know, how much, in essence, they were trying to kind of pull out of it and monetize, if you will. AT& T didn't take them seriously.
[00:05:35] So the hackers kind of continues on their merry way. And they came back earlier this year and went back to AT& T and said, I'm now going to actually dump this data on the dark web. The 73 million records that are out there that includes personal information, such as your customer names, their phone numbers, their account information, their account pins, right?
[00:06:00] And it was kind of all this treasure trove of information. Now, roughly 10 percent or so of the actual records were somewhat still relevant because they were active customers and accounts. Um, but what then happened is the hackers said, Let me give you a much bigger piece of the pie of visibility into what data I actually have to prove to you.
[00:06:25] I have this information and AT& T, obviously, at that point in time, saw the reality of what that was and then began the conversations to go through and negotiate, you know, the details of the deal to get the data actually cleansed and completely deleted, quote, unquote, hopefully, um, and then come back to, you know, shiny hacker and say, okay, you know, let's move on.
[00:06:46] Everybody is dealt with their piece. So that happened again in the spring timeframe of when that actual set of information came out of 73 plus million records stolen, the details of that and what occurred fast forward to just this past week, as you know, that the current data breach information is disclosed.
[00:07:09] What happened? 110 million customers. 110 million customers, all of AT& T's customers, had their information actually breached. So they had their call and text message records breached. And that time frame of when the breach occurred has come back to be realized as it was from that period of May 1st, 2022 to October 31st, 2022.
[00:07:37] So they now have 110 million customer records and all the different details relative to the calls and text messages that they made. Not just amongst AT& T network, but also anything that went outbound to other wireless network providers. Right? So what's in part of that, you have your call detail records.
[00:07:58] You do not have, so Ben buckle up. You're okay. They don't have to say
[00:08:02] Producer Ben: there's an awful lot to unpack here. I haven't put myself on mute. I'm just listening. I'm taking it all in.
[00:08:08] Rob Aragao: It's all good. Cause I know this is where you want to come in and you, you, you kind of may have been, Hey, what the hell is going on here?
[00:08:15] The text messages, Ben, the contents of the text messages. You're fine. It's okay. They're not out there.
[00:08:21] Producer Ben: And for that I breathe a sigh of relief. Anyway, continue.
[00:08:27] Rob Aragao: So, so none of that information is out there, but again, it's just the details of, you know, who was communicated with, um, and the information is all out there now in the wild.
[00:08:36] So I'm going to pause there, Ben, because I know if you look at it, kind of, you must have your own set of questions as hearing this news.
[00:08:43] Producer Ben: Okay. Let's imagine I'm an AT& T customer. Okay. I read the headlines of the day. So And first of all, I am scared because I'm thinking oh my goodness me my data is out there Who knows who has got what and what they're doing with it?
[00:08:57] Okay, so I'm scared And then I start to read the story and I become angry because I'm thinking okay Has there been any kind of cover up here? When did people know what were people? forced to reveal exactly what's happened or am I overreacting? What would you say to that? So
[00:09:18] Rob Aragao: do they have to disclose? They do.
[00:09:21] They do. So if you go back to the SEC cyber rule that we've had conversations about in episodes in the past, they are required, um, public company. To disclose the breach.
[00:09:32] Producer Ben: That's the thing, isn't it?
[00:09:33] Rob Aragao: Not all the details of the breach, but that they've identified that there has been a data breach and whatever information they have at that point in time.
[00:09:39] So yes, they have to disclose. So your question then becomes Rob, you just finished saying that this happened back in 2022. Exactly. So why, why has it been so long where, you know, this investigation has been going on and there's some awareness and maybe the awareness didn't happen until just recently, which is the case.
[00:09:57] That's fine. Right. That's, that's, that's okay. But why is it that the disclosure hasn't gone out or hadn't gone out until just recently? So the reality of it was, it was a major curve ball in all of us. Think about it. So you have call detail records, you have text detail records, or all of that communication flow.
[00:10:16] You have all of the AT& T customers. Which could easily include people within federal government. National security was the biggest concern. So literally the Department of Adjustment, Justice, went back and said, Time out. We're not going to disclose this. We're going to further investigate this. And not only did they say, We're not going to disclose this now, until we get more information to then publicly disclose what we know.
[00:10:46] They did it twice. Because they were so concerned. About what potentially was obviously within their and the national security implications they could have
[00:10:54] Producer Ben: so I hesitate to say this but We should perhaps cut well, we should cut AT& T some slack regarding the timing of the release
[00:11:06] Rob Aragao: Yeah, we should, because again, you know, what's been pulled forward and understood, right?
[00:11:12] So, so if you kind of look at the reality of the timing of when they picked up on the breach occurring, right? So again, the records and information is back from 22. When it was picked up that it actually occurred was around the mid or so late April timeframe, right? So, so back at that time, um, they realized that there was a breach that had occurred on the cloud data platform.
[00:11:34] Okay. Provider that they work with, which is called Snowflake and Snowflake was in the news already about this breach and multiple customers of theirs, uh, being potentially impacted by a breach, um, or information stone, let's say, because, because they still kind of claim that they, they themselves weren't breached, that they had the right security controls, but data of their customers.
[00:11:53] Right. There are cloud data platform was stolen. You had ticket master Santander, the list goes on a hundred and up to date, 165 different companies have been notified by the investigators that in all likelihood, they were part of this breach and their information could have officially been impacted by this.
[00:12:15] So I bring that up into your answer your question, because the reality of when this was identified was just within the past couple of months. But the severity again, of what. Is attributed towards a major telecom provider with all sorts of communications in who people are communicating with was the big concern.
[00:12:35] Hence why government said pause. further investigate. National security is a major concern on this type of event that's occurred. Let's make sure we have all of the details well understood until we actually go ahead and have AT& T file the disclosure, which they just did with the NAICS, as we talked about before, the SEC cyber rule requires what information they have at that point.
[00:12:57] Producer Ben: Okay, Rob, I'm going to read a few quotes to you from the MSNBC report on this. I'll start with this one. AT& T said that it has. taken additional cyber security measures in response to this incident, including closing off the point of unlawful access. Does that seem sufficient to you? What kind of additional measures to that would you deem to be sufficient?
[00:13:25] Rob Aragao: So there's nothing in there that explicitly calls out the details of what they actually mean. Yeah. Right. That being said, just this past week also, Snowflake actually, again, that cloud data platform provider behind where AT& T's information was stored, came out and actually made a security change to how their customers engage and work with their platform, in essence, to get the data.
[00:13:53] And the simple thing that they did was now make Multi factor authentication or MFA mandatory. So all of the instances of accessing your data require a second level of authentication. And Ben, think about that. How many times have we've had a conversation where the basic foundation security hygiene requirement is around multi factor authentication, all of these different security incidents that have occurred in the past?
[00:14:21] Producer Ben: I must admit, when I hear MFA mentioned, I just kind of, that's me, you know, slapping my head with my hand or slapping my hand onto my head thinking, duh, well, of course, why aren't people, it just seems so ridiculously obvious. I can't even believe we say it out loud. It's that obvious.
[00:14:39] Rob Aragao: You're a hundred percent, a hundred percent.
[00:14:42] And, and, you know, when you look at it is I'm sure it was there as an optional element that they could turn on. But now they're making it mandatory. I mean, honestly, it should have been mandatory from the get go. So I'm not pointing a finger at necessarily snowflake. I'm not pointing a finger at AT& T. It's just, everyone should be doing these things.
[00:14:59] It's kind of the basic hygiene. As you said, it's the, really, you're not doing this in the first place that could have prevented it. It doesn't necessarily stop, right? Cause the attackers could actually still get through, but. It's making it that much more difficult for them to actually get into the environment.
[00:15:14] So that's a core element of, you know, yeah, that's what Snowflake did. What's AT& T doing behind the scenes? Maybe that's one of the things that they're actually doing as well, but I'm sure there's a bunch of other things that as part of their review and assessment of, uh, controls, security controls, specifically that may be that they didn't have in place, maybe they fucked that in place, are being reviewed and reassessed to see how they can harden better the access into the environment and harden the act, the actual data.
[00:15:41] Producer Ben: Will that be a watch this space and we'll find out, or is that the kind of thing they'll always keep under wraps and you'll never be quite sure as to the extra steps they've taken?
[00:15:49] Rob Aragao: I don't know that they're going to disclose too much. I think that they'll disclose a little bit because again, think about it, it is a, um, you know, a major emphasis for them to show and regain trust.
[00:16:02] Producer Ben: Hmm.
[00:16:02] Rob Aragao: of their end customers. So to show and communicate what they're actually effectively doing, um, is critically important, right? They have to regain that, that, that trust factor in, yes, your information is now being properly protected. These are the actual steps that we've taken forward to ensure that that something like this does not likely happen again, right?
[00:16:23] So time will tell, Ben. Um, I do expect some additional details that they will share to kind of help get the consumer back on board and trust rebuilt.
[00:16:33] Producer Ben: I'll read you another quote, actually. Um, from Senator Ron Wyden. Um, he said that this breach was indicative, I won't do the, I won't do the accent. He said that, uh, the breach was indicative of the lax legal environment in which telecommunication companies operate.
[00:16:50] It's not the first data breach, won't be the last. Uh, these hacks, which are almost always the result of inadequate cyber security, won't end until the FCC. Start holding the carriers accountable for their negligence. Now this is the key bit. These companies will keep short changing customer security until it hits them in the wallet with billion dollars.
[00:17:13] Dollar fines react to that. If you would, Rob, is this, you know, is this a politician taking an easy shot? Is he grandstanding here? Does he have a point what could be done if that is what needs to be done?
[00:17:28] Rob Aragao: So he definitely has a point. Um, if you go back to kind of how I started the conversation on the telecom space, you have a half a billion dollar penalty that was levied until on T Mobile right back in 2021.
[00:17:42] Yeah. Did they change? Yeah. They, they made changes. They, they had many different breaches going on. And they made changes and, you know, luckily we haven't heard their name. In the news relative to data breaches. Okay. It doesn't mean it's not going to happen again. Now, to the bigger point, though, is the tie in from government.
[00:18:00] We talked about, you know, the Department of Justice and their impact on the public disclosure and hold back because of, again, sensitive information potentially attributed towards national cybersecurity, national security in general. Um, got it. That's fine. The FCC though, Ben, in December of 2023. actually had gone forward finally and updated their data breach notification rules, which was 16 years old.
[00:18:32] How fast does this space change?
[00:18:33] Producer Ben: Yeah.
[00:18:34] Rob Aragao: Right. 16 years old. So yeah, it was completely outdated. Think about that. So to your point, that's when again, these mobile devices started coming into play and so much more data being across those networks stored on those and you mean to tell me it took you 16 years to update The breach notification rules.
[00:18:57] So, okay, fine, but that's, that's happening. So that's the good part of it. Um, so to kind of back what, you know, the quote is, sure, call out the point of, it's an opportunity for government to further suggest. The telecom industry do move forward, do things better, strengthen, reassess their cyber security posture overall, which they all should be doing.
[00:19:20] That's just AT& T, of course, you know, you can name whoever they are. So I think, yeah, it's an opportunity to take that kind of shot over the bow. But something that actually did start changing back in December. Um, but listen, telecommunications definitely falls in that category of critical infrastructure.
[00:19:37] And one of the major push points here, uh, domestically in the U S that's been emphasized, uh, from the white house, right. And in securing the cyber aspects of critical infrastructure. So this is right smack in the heart of one of the key elements of that.
[00:19:51] Producer Ben: Brilliant, Rob. Thanks so much. Um, it's really one to keep an eye on and, um, you know, we've even over here in the UK.
[00:19:59] Uh, we've been hearing about this one, so it just goes to show what an impact it's having over in the States, I guess.
[00:20:05] Rob Aragao: Absolutely. We'll keep an eye looking at this one in the telecom sector in general, Ben. It was great having you on today, my friend.
[00:20:11] Producer Ben: My
[00:20:12] Rob Aragao: absolute pleasure. Take care. Until next time.