On January 19th T-Mobile reported another breach of their data, this being their second in as many years and their 8th since 2018. This is the second largest data breach the company has experienced, with 37 million customers being exposed. The data includes account details, names, billing and email addresses, phone numbers, birthdates, and account numbers. The hacker abused a poorly secured API (application programming interface) to mass collect this information.
The 2021 breach is regarded as the worst breach among cell phone carriers, as it exposed the names, birthdates, social security numbers, and IDs of current, former, and prospective customers. T-Mobile claims they have been making a “substantial, multiyear investment” with “substantial progress to date” since the breach in 2021 when 76.6 million customers were compromised. Three months after they spent 500 million to settle the class action lawsuit for this breach, it happened again.
Despite their claims of improvement, T-Mobile’s most recent breach took 2 months to be noticed. The hacker was able to gain sensitive data on 37 million customers, luckily for them it didn’t include any PII (personally identifiable information) like the attack in 2021. PII includes payment information, social security numbers, tax IDs, driver’s licenses and passwords. The hacker gained access to this data by using unsecured API. API is a software interface that allows application to communicate and share data with each other.
Poorly secured APIs are used in a variety of common attacks including DoS/DDoS, injection attacks, authentication hijacking, unencrypted communications, Man in the Middle, and data exposure. API attacks are becoming increasingly common, as they are the gateway to an organizations data and assets. Since API’s have grown in functionality, scope, and volume very quickly, many companies don’t have good enough security for them.
Many organizations don’t have an API security at all, or even have an inventory of their APIs.
While API attacks can be hard to detect, T-Mobile has made security promises to their customers they have now broken for the 8th time. Their supposed 150-million-dollar cybersecurity budget has not stopped the continued breaches of their customers data. As their profits and the number of breaches rise, its more important than ever to keep your information safe.
Comments