Google LLC has informed customers of Google Fi, the company’s mobile virtual network operator service, that their data may have been breached due to “suspicious activity relating to a third party system that contains a limited amount of Google Fi customer data.”
The email to customers did not name who the third party was, referring only to a “primary network provider for Google Fi.” However, it’s not hard to work out who the third party was.
As an MVNO, Google Fi uses other carriers to provide cellphone and data access to its customers. The largest provider of mobile services to Google Fi is T-Mobile USA Inc., which disclosed yet-another breach affecting 37 million customers on Jan. 19.
According to the email, data that may have been exposed by the “third-party system” included when an account was activated, data about mobile service plans, SIM card serial number and active or inactive account status. Google did note that the data did not contain information such as name, date of birth, email address, payment card, identification, passwords, or the content of any SMS messages or calls.
Google added that it has undertaken an investigation and is working with its primary network provider to identify and implement measures to secure the data on the third-party system.
Working with what is clearly T-Mobile, even if Google doesn’t name them, to improve security is arguably an exercise in futility. Companies do get hacked – it’s an unfortunate reality in the 21st century, but most take successful action to prevent future attacks. T-Mobile, on the other hand, is a lesson in modern-day security ineptitude.
Previous hacks involving T-Mobile include the theft of the details of 2 million customers in August 2018, a hack involving the theft of prepaid customer data in November 2019, the theft of employee and customer data in March 2021 and the theft of 48 million records in August 2021.
The August 2021 breach resulted in T-Mobile agreeing to pay $500 million to settle a class action lawsuit in July. Under the agreement, $350 million went to a settlement fund and $150 million went toward enhancing data security measures. How the $150 million was spent is unclear, but whatever it was spent on didn’t work.
“This is another example of where subcontracting services to others can result in problems for the main organization,” Erich Kron, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “While this practice is fairly common, when issues arise, the results can still be significant. Given the history of breaches related to T-Mobile, it would have been wise for Google to require additional and more stringent security measures than perhaps T-Mobile currently has in place.”
Kron warned that the stolen data could be used for SIM swaps to intercept multi-factor authentication messages through SMS. Lior Yaari, chief executive officer and co-founder of data security firm Grip Security Inc., warned likewise, saying that the hackers can potentially do a lot of damage by having access to the users’ phone numbers and SIM serial card numbers, including taking over phone numbers.
“At a minimum, affected customers should consider changing out their SIM card to protect themselves,” Yaari explained. “Once the hackers take over your phone number, they can use it for illicit purposes or even bypass two-factor authentication that uses SMS.”