Hackers accessed Sprint subscriber accounts via Samsung website
17 July 2019
US telecom services provider Sprint has informed customers that unknown hackers accessed their account details without authorisation via the Samsung.com website. Imformation compromised due to the unauthorised access included phone numbers, billing addresses, and names of subscribers.
In a letter to its subscribers, Sprint said that it was informed of the unauthorised access on 22nd June and took steps to prevent malicious actors from accessing subscribers’ accounts on 25th June by automatically resetting individual PINs of all subscribers.
The company did not state how long the unauthorised access went on before it was detected, but told subscribers that it did not identify any fraudulent activity associated with their accounts. It added that credit card numbers and social security numbers were not accessed by hackers as they were encrypted.
Hackers accessed names, addresses & phone numbers of Sprint subscribers
“The personal information of yours that may have been viewed includes the following: phone number, device type, device ID, monthly recurring charges, subscriber ID, account number, account creation date, upgrade eligibility, first and last name, billing address, and add-on services. No other information that could create a substantial risk of fraud or identity theft was acquired,” Sprint said.
“As a precautionary measure, we recommend that you take the preventative measures that are recommended by the Federal Trade Commission (FTC) to help protect you from fraud and identity theft.
“We apologize for the inconvenience that this may cause you. Please be assured that the privacy of your personal information is important to us,” it added.
A spokesperson from Samsung told CNET that Samsung also detected attempts by unauthorised persons to access login credentials and account information of Sprint customers via Samsung.com and immediately took steps to prevent user account details from being accessed through such attempts.
“We recently detected fraudulent attempts to access Sprint user account information via Samsung.com, using Sprint login credentials that were not obtained from Samsung. We deployed measures to prevent further attempts of this kind on Samsung.com and no Samsung user account information was accessed as part of these attempts,” the s[pokesperson said.
Customer service innovation trumps data security
Commenting on the unauthorised access of personal data of Sprint subscribers by hackers, Felix Rosbach, product manager at comforte AG, said that to stay on top of the game and to offer a best-in-class customer experience, some organisations allow third parties access to sensitive customer data.
“Missing control over the infrastructure of third parties combined with the lack of cybersecurity talent available on the market makes it near impossible to prevent attackers from getting access to such a complex network.
“Protecting data is more important than just preventing breaches. The best thing organisations can do is to focus on a data-centric security strategy to make sure that data is protected and access to it is restricted all the time,” Rosbach added.
“The Sprint breach highlights, once again, the importance of third party assurance and how access given to third parties needs to be carefully considered, secured and monitored. When security is built in at an early stage, the architecture can be designed in a more secure manner so that external, or even internal departments which don’t need access to functions cannot make any unauthorised changes,” said Javvad Malik, security awareness advocate at KnowBe4.
“It’s unfortunate that Sprint didn’t provide more details around the number of accounts breached and whether attackers had modified any account details. It could be possible that Sprint is still collating the information, but transparency and clarity of impact is vitally important for companies in the aftermath of an incident. Delays to sharing information can undermine customer confidence,” he added.
Boris Cipot, senior security engineer at Synopsys, said that in addition to changing PIN numbers, as recommended by Sprint, he would also advise users to change their account credentials for the Sprint portal.
“As we know, many people use the same username and password for many different accounts, so it would be advisable to change those also. In any case, it would be advisable for everyone to change their password every now and then and not use the same credentials for different services,” he added.