T-Mobile customers are left feeling frustrated as hacker comes forward, calling the company’s security ‘awful’

  • An American man living in Turkey claims to be the hacker behind a massive T-Mobile breach, the Wall Street Journal reported.
  • T-Mobile customers are left feeling frustrated by their wireless carrier over security concerns.
  • Customers are experiencing fraudulent charges on debit cards and spam calls and text messages after the breach.
  • See more stories on Insider’s business page.

T-Mobile customers are dealing with the fallout of a security breach that exposed the personal information of more than 53 million people, with some telling Insider they’ve recently experienced fraudulent charges on debit cards and spam calls and text messages.

Customers also expressed frustration that the man who took responsibility for the attack said it was easy.

“Their security is awful,” John Binns, a 21-year-old American who now lives in Turkey, told The Wall Street Journal on Friday, claiming to be the hacker behind the breach.

Binns gained access to the servers after discovering an unprotected router by scanning T-Mobile’s internet address for weak spots, The Journal reported. Over 53 million people had personal information compromised in the hack such as names, addresses, dates of births, phone numbers, Social Security numbers, and driver’s license information.

Many customers are now dealing with the repercussions of the hack and feel as though T-Mobile is not doing enough to protect them as some information hits the dark web.

Eddie Richards, a T-Mobile customer from Elizabethtown, Kentucky, told Insider he did not know about the hack until it reached the news. Richards is part of T-Mobile’s family plan, and while only the primary account holder was notified of the data breach by the company, he believes that all customers should have been made aware.

“It just frustrates me, honestly,” Richards said. “If our data is a priority for you guys to keep safe, how come I haven’t gotten a notification or anything like that?”

The telecom company has previously said that no financial information was compromised in the breach, but Richards said he has dealt with several fraudulent charges on his debit cards since.

“I put two and two together,” Richards said, explaining that although he can’t prove it’s connected to the breach, he feels it is too much of a coincidence. Richards has also started getting more spam calls and messages on his cell phone, including several emails.

Like Richards, Amina Jeffery and her husband Trent have also received an increased number of spam calls and text messages since the breach. Most of the fraudulent messages involve sending or receiving money in transactions the Jefferies did not make.

The Jefferies, who have been T-Mobile customers out of Milwaukee, Wisconsin, for many years, feel let down by the wireless carrier.

“I felt like they tried to just basically downplay it, that’s what kind of irritated me,” Amina Jeffery told Insider in an interview. “For me, they’re just trying to avoid responsibility.”

T-Mobile did not specifically comment on what customers told Insider and referred back to an apology statement released by the company’s CEO, Mike Sievert, on Friday. Both Richards and the Jefferies want more to be done.

“What does that have to do with the rest of my life?” Amina Jeffery said. “If somebody has my social and my birthday and my name, that is enough right there to go and be me so that just doesn’t work for me.”

Despite this, the Jefferies and Richards are still T-Mobile customers.

T-Mobile and Sprint merged in April of 2020. Now the company has a total of approximately 104.7 million customers, according to its latest earnings report. Nearly half of the company’s current customers were affected by the breach.

The company is almost done with its investigation into the incident and the breach is contained, according to a statement released by T-Mobile on Friday.

Read the original article on Business Insider

T-Mobile CEO apologizes for the hack that exposed data of 53 million people, as the company faces class action lawsuits over the breach

T-Mobile CEO Mike Sievert
T-Mobile CEO Mike Sievert.

  • T-Mobile CEO Mike Sievert apologized for a hack that exposed the data of 53 million people.
  • “Knowing that we failed to prevent this exposure is one of the hardest parts of this event,” Sievert said.
  • T-Mobile also announced a partnership with Mandiant and KMPG LLP to help the company with its approach to cybersecurity.
  • See more stories on Insider’s business page.

T-Mobile CEO Mike Sievert apologized Friday for a data breach that affected over 53 million people.

T-Mobile is almost done with its investigation and the breach is contained, Sievert said.

“Knowing that we failed to prevent this exposure is one of the hardest parts of this event,” Sievert wrote. “On behalf of everyone at Team Magenta, I want to say we are truly sorry,” his statement read.

“Bad actors” work endlessly to exploit and attack systems like T-Mobile’s, Sievert said, adding that while the company tries to stay ahead of them that they did not live up to their customers’ expectations.

“We’re fully committed to take our security efforts to the next level as we work to rebuild trust,” Sievert added.

As part of the company’s next steps, Sievert announced a partnership among T-Mobile, Mandiant, and KMPG LLP. Mandiant, a global security firm that has been working with T-Mobile since their investigation into the breach started, and KPMG, a consulting firm, plan to help T-Mobile with its approach to cybersecurity.

“This is all about assembling the firepower we need to improve our ability to fight back against criminals and building a future-forward strategy to protect T-Mobile and our customers,” Sievert wrote.

T-Mobile says nearly all of the 53 million customers have been notified of the breach. The information stolen from the customers includes names, addresses, dates of births, phone numbers, social security numbers, and driver’s license information.

T-Mobile originally became aware of the data breach after hackers posted in an underground forum, Vice’s Motherboard first reported.

Since then, customers have filed class action lawsuits against the wireless carrier, citing violations of the California Consumer Privacy Act which allows any Californian the right to see all the information a company has saved on them, as well as a full list of all the third parties that data is shared with, and the Washington State Consumer Protection Act for having poor data security.

Read the original article on Business Insider

Big tech firms pledge more than $31 billion and 250,000 jobs to strengthen cybersecurity

cybersecurity and smartphones 2x1
CEO’s from the biggest tech companies in the US met with President Biden on Wednesday to discuss cybersecurity.

  • The biggest tech companies in the US met at the White House Wednesday to discuss cybersecurity.
  • Apple, Microsoft, Amazon, Google, and IBM all made pledges to strengthen the nation’s cybersecurity.
  • The firms pledged more than $31 billion total, including 250,000 new jobs and various trainings.
  • See more stories on Insider’s business page.

CEO’s from the biggest tech companies in the US met with President Biden on Wednesday to discuss “opportunities to bolster the nation’s cybersecurity in partnership and individually,” the White House said in a press release.

Following a spate of cyberattacks against various US companies, including the Colonial Pipeline, and JBS meats, Microsoft, Google, Amazon, IBM, and Apple all made pledges during the meeting to strengthen cybersecurity across the sector.

The White House says that Microsoft will “immediately” make $150 million in technical services available to help all levels of the US government upgrade its security protections. The company will also invest $20 billion over the next five years to “accelerate efforts to integrate cyber security by design and deliver advanced security solutions,” according to a press release.

Microsoft is also partnering with community colleges and nonprofit organizations to provide cybersecurity training.

Google announced that it will help 100,000 Americans earn industry-level digital skills certificates that could lead to high-paying jobs in the tech industry. The company will also invest $10 billion over the next five years to help secure the software supply chain, expand zero-trust programs, and strengthen open-source security.

IBM will train 150,000 people in cybersecurity over the next three years while partnering with more than twenty historically Black colleges and universities to “establish Cybersecurity Leadership Centers to grow a more diverse cyber workforce.”

The White House says that Apple is creating a new program to improve security throughout the technology supply chain. In partnership with more than 9,000 US suppliers, Apple will adopt multi-factor authentication, security training, vulnerability remediation, event logging, and incident response.

Amazon said that it would release security awareness training to the public free of charge. The company will also provide a multi-factor authentication device to Amazon Web Services account holders, free of charge to protect against phishing threats and password theft.

“The reality is most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone,” President Biden said before the meeting, according to the Washington Post. “You have the power, capacity, and responsibility, I believe, to raise the bar on cybersecurity. Ultimately we’ve got a lot of work to do.”

Read the original article on Business Insider

Palo Alto Networks surges 19% on strong 4th-quarter earnings as cybersecurity sector booms

Signage with logo at the Silicon Valley headquarters of computer security and firewall company Palo Alto Networks, Santa Clara, California, August 17, 2017.
Palo Alto Networks, Santa Clara, California, August 17, 2017.

Shares of Palo Alto Networks surged to an all-time high after the cybersecurity firm reported fourth-quarter earnings that beat estimates and boosted its forecast for 2022 amid a growing number of cyberattacks against US companies.

Palo Alto Networks stock jumped nearly 19% to an intraday high of $443.51 on Tuesday. It was trading 18% higher at $442.65 as of 11:50 a.m. ET.

The company posted a profit of $1.60 per share compared to $1.44 expected by analysts, according to Refinitiv, and revenue of $1.22 billion compared to the $1.17 billion expected.

The revenue of the Santa Clara, California-based firm, meanwhile, grew 28% in the quarter ending July 31, compared to 24% in the previous quarter.

“We’ve had a series of cybersecurity events over the last quarter, against the backdrop where we’ve seen supply chain attacks where bad actors try to hack into core infrastructure pieces, which allows them access to enterprises or government systems,” Nikesh Arora, company chairman and CEO, said during the earnings call. “The ransomware threat continues to rise.”

The Santa Clara, California-based firm also predicted its revenue to rise in the range of $5.275 billion to $5.325 billion in 2022, representing a 24% to 25% year-on-year growth.

Due to the rise in ransomware attacks, Arora said Palo Alto Networks currently has around 300 more ransomware readiness assessments in the pipeline in addition to the 39 it was already engaged in.

“Over time, we expect these service engagements to allow us to increase our product pull-through to our customers,” he said during the call. “As a company, we’ve continued to focus on getting more presence in our customers and getting larger deals with them.”

Ahead, supply chain constraints might factor into the third or fourth fiscal quarter of next year, according to Arora. This is why, he said, Palo Alto Networks is increasing the prices of its hardware products, though only by a small amount.

Read the original article on Business Insider

The US State Department knows it’s ‘pushing the envelope’ as it offers up to $10 million rewards for crypto-hacking intel, according to new interview

Bitcoin logo is seen displayed on an Android mobile phone
  • State Department officials told CNN an “edgy” program to pull in cyber-crime tips by paying up to $10 million rewards is aimed at reaching a new pool of informants.
  • The agency will allow informants with verifiable information about foreign-backed hacking schemes to be paid in cryptocurrency.
  • Officials have already started receiving tips via its channel on the Dark Web.
  • See more stories on Insider’s business page.

The US State Department says its initiative to pay informants for information about certain hacking schemes with cryptocurrency and to allow communication through a secure portal on the Dark Web is aimed at reaching potential sources on turf that’s familiar to them, according to an interview with agency officials conducted by CNN.

The agency for the first time is allowing informants to elect to receive reward payments using cryptocurrency. The move is in connection with an offer of up to $10 million for information leading to the identification or location of cyberhackers backed by foreign governments who target US infrastructure. Officials told CNN they have started receiving tips through a recently opened channel accessible on the Dark Web using the Tor browser.

“Within our program there’s a tremendous amount of enthusiasm because we’re really pushing the envelope every chance we get to try and reach audiences, sources, people who may have information that helps improve our national security,” an unnamed State Department official told CNN in an interview published Sunday, the first since the announcement. “It’s been edgy for some government agencies, perhaps, but we’re going to keep pushing forward in many different ways.”

CNN said the reward was “quietly” announced in June as part of a raft of other actions the Biden administration was enacting to improve the country’s cybersecurity.

The Biden administration in recent months has accused hackers working for Russia and China of breaching numerous US agencies and departments and the administration has made fighting ransomware a top priority.

The FBI in June seized $2.3 million worth of bitcoin out of a $4.4 million ransom that oil pipeline system operator Colonial Pipeline had paid to DarkSide. The FBI said the group, believed to be based in Russia, was behind a May cyberattack against the privately held company that led to gasoline shortages across the southeastern US.

The officials declined to describe the tips they have received through the Dark Web channel because of the sensitive nature of the information and sources, the report said.

“Something on the Dark Web that allows total anonymity and an initial level of security is probably more appropriate for those folks,” CNN quoted a second unnamed State Department official as saying. “So just finding people where they are and reaching them with the technology on which they are most comfortable, I think, is the name of the game for Rewards for Justice.”

Read the original article on Business Insider

Amazon reportedly wants to track its customer service employees by their keyboard strokes and mouse movements

Amazon office front-desk staff stand in front of an orange sign with the Amazon smile logo
Amazon’s New York office.

Amazon will closely watch its customer service workers – specifically through their keyboard strokes and mouse movements, according to Vice.

The e-commerce giant plans to implement this oversight technology to prevent rogue workers, impostors, and hackers from accessing confidential customer data, Vice Motherboard’s Joseph Cox reported on Thursday.

Amazon’s security, finance, and legal teams have apparently agreed to use a behavioral biometric system from cybersecurity company BehavioSec, Vice reported.

According a confidential document obtained and verified by Motherboard, the proposed solution would entail using algorithms to generate a profile of a worker’s inherent keyboard and mouse activity. It would then continuously verify the individual’s “biometric footprint,” making sure that it is in fact the same person using their device at a given time.

For privacy reasons, the system wouldn’t record what apps or sites workers type or click on, and it wouldn’t monitor worker communications, the report said.

The document also detailed several successful attempts where malicious actors posed as Amazon customer service employees to gain access to privileged customer information, Vice reported.

Decreased security capabilities for Amazon customer service agents working from home because of COVID-19 and more customer service jobs outsourced to foreign countries with less stringent security measures has forced the company to invest in data security measures.

Amazon did not directly comment on the Motherboard report. “Maintaining the security and privacy of customer and employee data is among our highest priorities,” Kelly Nantel, National Media Relations Director at Amazon, told Insider.

Amazon has resorted to similar surveillance techniques to see a closer eye on its operations. Earlier this year, the company told their delivery drivers to sign over “biometric consent” so they could be monitored. They installed AI-cameras in its driver’s vans that would monitor and score driver’s performance while on the job – forcing some workers to find ways to work around being monitored.

“While we do not share details on the technologies we use, we continually explore and test new ways to safeguard customer-related data while also respecting the privacy of our employees,” Nantel added. “And we do this while also remaining compliant with applicable privacy laws and regulations.”

Read the original article on Business Insider

If you live in the US, Apple reportedly plans to scan your iPhone for child sexual abuse images

Apple logo in front of buildings
Apple will install software on American iPhones that will look for child abuse imagery, the Financial Times reported.

Apple is reportedly planning to roll out software that will scan US iPhone photos for images of child sexual abuse, the Financial Times reported on Thursday.

Apple could announce more about the software in the coming week, according to the report, which cited security researchers familiar with Apple’s plans.

The software, reportedly called neuralMatch, is designed to look through images that have been stored on iPhones and uploaded to iCloud storage. According to the Financial Times, if the software detects child sexual abuse in a photo, it will then pass the material on to human reviewers who will alert law enforcement if they think the images are illegal.

However, security experts warned that this could snowball beyond looking for child sexual abuse images.

“Whether they turn out to be right or wrong on that point hardly matters. This will break the dam – governments will demand it from everyone,” Matthew Green, a cryptographer at Johns Hopkins University, said on Twitter.

An Apple spokesperson did not immediately respond to Insider’s request for comment, and the company declined to comment to the Financial Times.

Apple makes privacy a selling point, at times frustrating law enforcement

This new software, if implemented, would likely please law enforcement and government agencies, but risks potential backlash from privacy activists. Apple has made privacy features a cornerstone of its marketing in recent years, advertising that “what happens on your iPhone stays on your iPhone.”

But there are limits to this promise, and tradeoffs. Apple already monitors images sent from Apple devices for child abuse imagery, using a technique called “hashing,” and alerts law enforcement when the algorithm and an Apple employee detect suspected child abuse material. It also cooperates with law enforcement on lawful requests for information.

“Our legal team reviews requests to ensure that the requests have a valid legal basis,” Apple writes on its website. “If they do, we comply by providing data responsive to the request. If a request does not have a valid legal basis, or if we consider it to be unclear, inappropriate, or overly broad, we challenge or reject the request. We report on the requests every six months.”

In the past, Apple has resisted government agencies’ requests for the company to install a back door that would allow law enforcement to access encrypted messages. New York City police and prosecutors have criticized Apple’s encryption technology for aiding criminals in hiding information from law enforcement.

Other tech companies like Facebook have also been caught between protecting users’ privacy and requests from law enforcement and government agencies. Government officials in multiple companies have criticized Facebook’s encryption of its Messenger service for making it more difficult to detect content depicting child sexual exploitation.

Researchers told the Financial Times that Apple’s decision could pressure other companies into implementing similar kinds of monitoring and could later expand into monitoring of images beyond child sexual abuse, like anti-government signs held at protests.

Read more about Apple’s reported plans for the software over at the Financial Times.

Read the original article on Business Insider

Didi has fallen a stunning 52% since its US IPO as China’s crackdown pummels the ride-hail giant

FILE PHOTO: The logo of Didi Chuxing is seen at a Didi station in Beijing, China January 2, 2019. REUTERS/Jason Lee
FILE PHOTO: The logo of Didi Chuxing is seen at a Didi station in Beijing

  • Didi is vying for China’s worst US IPO this year as its stock has lost more than half its value.
  • Not long ago, Didi was eyeing a $70 billion valuation. Less than a month from its debut, it is now worth less than $40 billion.
  • Didi has been spared the title of worst IPO this year by RLX Technology, a vaping company that has fallen 78%.
  • See more stories on Insider’s business page.

Didi is vying for China’s worst US IPO this year as the besieged ride hailing company’s stock has lost more than half its value.

Compared to the market open price on the day of its IPO, Didi has crashed as much as 52.1% on Friday. The company’s IPO listing price was $14, but the stock opened at $16.65 on its first day of trading. It now sits around $8, having fallen 31% this week alone.

Not long ago, Didi was eyeing a $70 billion valuation. Less than a month from its debut, it is now worth less than $40 billion.

That was the second-worst US listing for a Chinese company so far this year, of which there have been 37, according to Bloomberg. Didi edged out Full Truck Alliance, the so-called Uber for trucks that went public a week before Didi, which has lost 50.5% since its market open.

Both companies have been casualties of China’s rapidly enveloping cybersecurity probe. They have been barred from registering new users as the cyber ministry digs into alleged data-privacy risks for Chinese users.

Still, Didi has been spared the title of worst IPO this year by RLX Technology, a vaping company that has been buffeted by planned regulations to rein in China’s exploding e-cigarette usage. RLX has collapsed nearly 78% and is trading at less than $5 after debuting at $22 in February and peaking at $30.

Didi was trading at $8.04 as of 1:54 p.m. ET, down 21.2% so far on Friday.

Read the original article on Business Insider

Banks are reportedly scrambling to move IPOs of Chinese companies from New York to Hong Kong after regulators cracked down on overseas listings

Hong Kong Skyline
  • Regulators’ harsh response to Didi’s IPO has forced the 20 or so Chinese companies that had plans to go public in New York to re-evaluate, according to a Financial Times report.
  • 34 Chinese firms raised $12.4 billion in New York capital markets in the first half of this year, according to Dealogic data.
  • Data-oriented companies have been most eager to plan for Hong Kong listings, in large part because the mainland government’s crackdown has centered around data privacy.
  • Sign up here for our daily newsletter, 10 Things Before the Opening Bell.

Investment banks are scrambling to divert Chinese IPOs away from the US market and into Hong Kong as the government’s crackdown on foreign listings spreads, according to a Financial Times report.

Regulators’ harsh response to China’s last major foreign IPO, that of Didi Chuxing, has forced the 20 or so Chinese companies that had plans to go public in New York to re-evaluate.

Bankers who spoke with the FT said clients are exploring moving listings to Hong Kong but are also wary of the hurdles. Hong Kong-specific regulatory requirements and the inherent uncertainty of going first were among the leading concerns.

“We’re speaking to everyone about it,” one Hong Kong-based investment banker told the FT. “If you want to do a deal this year, at best you’ll be delayed until 2022 and at worst you won’t be able to do it.”

The move toward Hong Kong is an abrupt shift for corporate China. 34 Chinese firms raised $12.4 billion in New York capital markets in the first half of this year, according to Dealogic data previously reported by the FT.

In the wake of Didi’s NYSE debut, China’s cybersecurity ministry alleged the company had violated privacy laws and launched an investigation into its data practices. The action took Didi’s stock price down sharply the day of the announcement.

Data-oriented companies have been most eager to plan for Hong Kong listings, in large part because the mainland government’s crackdown has centered around data privacy. Moving to Hong Kong could abate some of that scrutiny, two bankers told the FT.

Read the original article on Business Insider

Apple’s iPhone has a ‘major blinking red five-alarm-fire problem with iMessage security,’ according to a cybersecurity researcher

Tim Cook
Apple CEO Tim Cook.

  • Apple’s iPhones are a lot less secure than Apple says, according to a new report.
  • “Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security,” one cybersecurity researcher said.
  • An iMessages security exploit was used by an Israeli spyware firm to give hackers access to iPhones.
  • Visit the Business section of Insider for more stories.

Apple’s iPhone isn’t as secure as Apple says it is, according to a bombshell new report from a group of media outlets and Amnesty International.

“Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security,” Citizen’s Lab Senior Research Fellow Bill Marczak said on Sunday.

Hackers were reportedly able to remotely access and replicate data from phones tied to 37 people, primarily reporters and executives, using a software tool named Pegasus created by NSO Group.

The software is sold to governments and is considered a military-grade hacking service. With Pegasus, hackers are able to infect phones with so-called “zero-click” texts through iMessage, meaning the target user doesn’t even have to interact with the text to have their phone breached.

Moreover, the report found that even the most up to date firmware and iPhone hardware can be breached by Pegasus.

Forensic reports completed by Amnesty International and verified by Citizen’s Lab found that even iPhones running iOS 14.6, the latest version of Apple’s mobile operating system, were susceptible to being hacked. “All this indicates that NSO Group can break into the latest iPhones,” Marczak said.

One such target with an iPhone was the fiance of slain Washington Post reporter Jamal Khashoggi, according to the report. A forensic analysis of Hatice Cengiz’s iPhone found evidence of multiple breaches starting in early October 2018 – immediately following Khashoggi’s assassination on October 2, 2018.

“Why do people say the iPhone is the more safe phone, that no one can hack?” Cengiz asks Washington Post reporter Dana Priest in a recent PBS Frontline segment regarding the spyware. “That’s what [Apple] says, the company,” Priest responds. “That’s not true.”

Following the report, NSO Group released a statement rebuking its findings and threatening a potential lawsuit. “We firmly deny the false allegations made in their report,” the statement said. “These allegations are so outrageous and far from reality that NSO is considering a defamation lawsuit.”

Apple representatives didn’t immediately respond to a request for comment regarding the specific iPhone security issues outlined in the report, and it’s unclear if an update is coming to patch the exploit.

“For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree iPhone is the safest, most secure consumer mobile device on the market,” Apple security engineering chief Ivan Krstić said in a statement to Insider. “Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

Read the full report on the Pegasus spyware and iPhone security right here.

Got a tip? Contact Insider senior correspondent Ben Gilbert via email (bgilbert@insider.com), or Twitter DM (@realbengilbert). We can keep sources anonymous. Use a non-work device to reach out. PR pitches by email only, please.

Read the original article on Business Insider