NTT Communications (NTT Com) is a Japanese telecom company that delivers phones the network solutions to enterprises and consumers. 

On February 5, 2025, the organization disclosed that they suffered a data breach which exposed sensitive data from nearly 18,000 organizations, sending shockwaves across the industry. This follows on the heels of a threat actor operating out of China that has successfully breached U.S. telecom providers such as Verizon, AT&T, T-Mobile, and more. 

The incident underscores not only the vulnerabilities in critical infrastructure, but the significant cascading impact a single breach can have on the global enterprise ecosystem. 

How did the breach happen?

Currently, there is a limited amount of information disclosed about how the unauthorized access occurred. However, what we do know is:

• A first device bypassed controls and was able to gain unauthorized access to NTT’s internal network
• Once it’s in the network, it breached the “Order Information Distribution System”
• The attacker pivoted to a second device on the NTT network. This one has since been disconnected to prevent further lateral movement

Nonetheless, based on industry research across multiple threat reports (Mandiant 2024, CrowdStrike 2025), we can assume that:

1. All breaches begin with initial access
2. The largest threat surface for gaining initial access are identity-based attacks
3. These attacks target the credential and the user’s devices

The most frequent cybersecurity vulnerabilities that could have contributed to this alarming incident include:

1. Compromised Credentials: Weak or Stolen Credentials: Attackers may have leveraged compromised credentials to gain unauthorized access. According to insights from the CrowdStrike Global Threat, compromised credentials continue to be a leading factor in data breaches.
2. Insufficient Multi-Factor Authentication: The lack of phishing-resistant multi-factor authentication (MFA) measures can leave systems exposed, a vulnerability so significant that CISA, NIST, NYDFS, and, most recently, PCI DSS have all addressed in their updated regulatory guidelines. 
3. Unpatched Systems: Attackers may have taken advantage of unpatched vulnerabilities or running applications with known CVEs, a common breach vector highlighted by the Verizon 2024 Data Breach Investigations Report which identifies unpatched software as a leading cause of security incidents.
4. Misconfigurations: Inadequate configuration of device or network security settings may have provided attackers with an easy entry point. The Cybersecurity and Infrastructure Security Agency (CISA) emphasizes the role that misconfigurations represent in successful cyber attacks. 

What are effective mitigation strategies?

In response to incidents like the NTT Com breach, we recommend organizations adopt a defense in depth strategy that layers access controls to defend against a variety of initial access vectors. 

Defending against credential compromise

Eliminate weak and phishable factors: Phishable factors include passwords, one-time passcodes (OTP), and push notifications. These factors are easily stolen and users can be easily tricked to provide them on malicious sites. By removing them from the authentication flow all together, the user cannot be phished because attackers can’t steal what doesn’t exist. 

Defending against weak MFA

Implement phishing-resistant MFA: Implementing phishing-resistant MFA with device-bound, public key credentials improves the user experience and remove the threat vector from your enterprise environment. Unlike weak factors, phishing-resistant MFA uses factors that cannot be stolen, tampered with, and provides verifier compromise resistance that verifies the origin of access requests. 

Defending against unpatched systems

Timely patch management and automated vulnerability scanning: Unpatched systems are a primary vulnerability that attackers exploit to leverage known flaws. Regularly applying updates and patches, along with continuous vulnerability assessments, minimizes the window for potential exploits. This proactive approach ensures that your systems remain resilient, effectively reducing the attack surface and preventing adversaries from capitalizing on outdated software.

Enforce patching at access: Enable real-time enforcement of patching requirements every time a user attempts to authenticate. For instance, through its device trust capabilities, Beyond Identity verifies critical device security attributes including OS version, application version, and the presence of endpoint protection, before granting access. If a device is missing critical updates or fails to meet an organization’s policy, access is blocked or requires a step-up authentication step. This approach ensures only fully patched and compliant devices can access sensitive resources, dramatically reducing exposure to known vulnerabilities.

Defending against misconfigurations

Block misconfigured devices before they get access: Misconfigured devices, whether due to disabled firewalls, outdated OS settings, or missing security tools, pose a serious risk to enterprise environments. Beyond Identity enforces strict device trust policies for all devices, managed or unmanaged devices, at the time of access, checking for configuration settings in real-time prior to every access granted. With continuous visibility into each device’s posture, IT and security teams can define and enforce policies that automatically block access from non-compliant devices. This real-time and ongoing enforcement ensures that misconfigured endpoints never become a silent entry point for attackers.

Cloud configuration management: Network and cloud misconfigurations can create inadvertent entry points for cyber attackers. By conducting frequent audits and using automated tools to enforce secure settings, organizations can detect and rectify deviations swiftly. This method not only fortifies the infrastructure but also guarantees that security measures are correctly applied and maintained across the entire environment.