The criminals used an API to harvest personal information such as customer names, billing addresses, email addresses, phone numbers, dates of birth, and T-Mobile account numbers.
T-Mobile and millions of its customers fell victim to yet another data breach – this attack was apparently perpetrated by hackers who knew how to exploit an application programming interface used by the carrier.
On Jan. 19, T-Mobile disclosed the breach in a filing with the Securities and Exchange Commission, noting that the affected API gave the hackers names, billing addresses, email addresses, phone numbers, dates of birth, and T-Mobile Accounts provided numbers and plan functionality for 37 million current postpaid and prepaid customers.
Details of T-Mobile’s SEC filing
In its filing, the company did not identify the affected API or explain how the hackers exploited it. Fortunately, according to T-Mobile, the API didn’t reveal any other personally identifiable information, such as payment card numbers, social security numbers, driver’s license numbers, passwords, or PINs.
SEE: Mobile Device Security Policy (TechRepublic Premium)
The breach began on or about November 25 last year, the airline said, adding that it halted the malicious activity within a day of its discovery and is currently working with law enforcement to conduct further investigations.
Data breaches are not new to T-Mobile
Data breaches and hacks are nothing new to T-Mobile. In recent years, the company has had several security incidents, including a 2018 flaw on its website that allowed anyone to access customer data, a breach in 2021 that exposed the personal information of nearly 50 million people, and a series of breaches carried out by cybercrime group Lapsus$ in March 2022.
In its SEC filing, T-Mobile said it initiated a “significant multi-year investment” in 2021 to work with third-party security vendors to improve its cybersecurity capabilities. The company claimed it has “made significant strides so far,” adding that it will continue to invest in strengthening its cybersecurity.
A misconfigured API is the culprit for the T-Mobile data breach
“Repeated data breaches like this can have a significant impact on a company’s reputation, and T-Mobile certainly seems to be a company that’s becoming synonymous with massive data breaches,” said Erich Kron, security awareness advocate at KnowBe4. “In this case, a misconfigured API was the culprit; However, this points to potentially poor processes and procedures when it comes to securing tools that have access to such a large amount of data.
“By collecting and storing information about such a large number of customers, T-Mobile also has a responsibility to ensure security, a responsibility they have now failed to meet on numerous occasions.”
An API acts as an interface between different systems and applications so that they can communicate with each other. However, due to their ubiquity in organizations, they have become a tempting target for cybercriminals. By conducting API scraping attacks, hackers can gain direct access to an organization’s critical data and assets.
“APIs are like highways to an organization’s data: highly automated and enabling access to vast amounts of information,” said Dirk Schrader, VP of Security Research at Netwrix. “If there are no controls in place to monitor the amount of data left by the domain via the API, this translates into no control over customer data.”
T-Mobile’s stolen customer data is a gold mine for hackers
Although no credit card details or social security numbers were accessed in the hack, Kron says the stolen information represents a gold mine for cybercriminals. This data allows them to design phishing, vishing, and smishing attacks, linking to information a customer believes that they are only known to T-Mobile. A successful attack could then lead to financial theft or identity theft.
“The nature of the data that was exfiltrated in the T-Mobile case is intended to allow ransomware gangs to … improve the credibility of phishing emails sent to potential victims,” Schrader said. “Such a dataset would also be interesting for malicious actors, so-called initial access brokers, who focus on collecting initial access to PCs and company networks.”
Recommendations for T-Mobile customers and organizations working with APIs
In light of this latest breach, T-Mobile customers should not only change their passwords, but also watch out for incoming emails claiming to be from the company or relating to T-Mobile accounts or information. Examine all unexpected or unwanted emails for typos, errors, broken links, and other misleading details.
To prevent these types of attacks, organizations working with APIs should implement strict controls over who and what can use the APIs, when, and with what frequency, says Schrader. A Zero Trust approach is the best way to reduce the attack surface as it restricts access to resources inside and outside the network until the request can be verified.
“These attacks will continue until organizations commit to reducing and ultimately eliminating data silos and copy-based data integration to establish a foundation of control,” said Dan DeMers, CEO and co-founder of Cinchy. “In practice, we’re talking about a sea change where CTOs, CIOs, CDOs, data architects, and application developers are beginning to decouple data from applications and other silos to build zero-copy data ecosystems.”
Organizations looking to pursue this type of siled security should look to standards like zero-copy integration and innovations like dataware technology, DeMers said. Both focus on a data-centric approach based on the principle of control.
Read next: Zero Trust: Data-Centric Culture to Accelerate Innovation and Secure Digital Business (TechRepublic)