March 20, 2023

The recent unauthorized access to AT&T’s Customer Propriety Network Information (CPNI) via a vendor’s system has refocused attention on flaws in the security programmes of major telecommunications providers.

Despite the fact that the data did not contain credit card numbers, Social Security Numbers, account passwords, or other sensitive personal information, the companies cybersecurity infrastructure has been called into question. According to Cyble, by 2023, more than 74 million US telecom customers’ data will have been leaked on the dark web.

Third-party vendor breaches were involved in each of the attacks detailed in the report. These third-party vendors are said to pose an increasing security risk because it is difficult for businesses to thoroughly vet a new contractor’s security stack before signing a contract.

Another factor that contributes to the attack is that major telecom and wireless providers sell their customers’ mobile data to advertisers, bringing in a new set of vendors who can access and exploit vulnerabilities in their security systems.

The most common attack types extend beyond the high-profile data breaches that make headlines. This is because malicious actors can use the information, they obtain to launch so-called SIM-swapping attacks, in which a hacker can remotely take over a phone number. These SIM-swapping attacks can then lead to malicious hackers stealing multifactor authentication codes and gaining access to people’s most secure accounts.

The vulnerability of the telecom sector to cyberattacks, according to Marcus Fowler, CEO of Darktrace Federal, has put industry pressure on them to bring in new vendors to help them expand their business lines. To address this, the FCC is working on an update to its data breach notification rules for telecom and wireless carriers.

The sources for this piece include an article in Axios.