U.S. Telecommunications giant T-Mobile disclosed on Thursday that hackers obtained data on 37 million customers through a vulnerable API (application program interface). The disclosure was included in an 8-K filing with the U.S. Securities and Exchange Commission.
The incident is just the latest affecting the company and comes less than two years after a serious breach that exposed data on some 77 million customers, which was then put up for sale in hacker forums.
Names, emails, phone numbers exposed by T-Mobile
The data exposed includes customers’ names, billing addresses, emails, phone numbers, and dates of birth. The attack also revealed T-Mobile account numbers and information on the customers’ T-Mobile plans, the company said.
T-Mobile first became aware of the incident on January 5th, when the company determined that “a bad actor was obtaining data through a single Application Programming Interface (‘API’) without authorization.” The attackers appear to have had access to the company’s data starting on November 25th, according to the filing.
Leaky APIs sow havoc…again
APIs are a growing security risk for organizations as digital transformation sees organizations embracing cloud-based applications and services, in place of on-premises hardware and software. APIs are the glue that holds such infrastructure together: facilitating and standardizing programatic access to those services. However, if not properly designed, deployed and monitored, APIs can provide malicious actors with easy access to sensitive systems and data.
A team of researchers led by Sam Curry found that connected vehicles from more than a dozen automakers were vulnerable to attacks via APIs used to enable mobile, telematics applications. Flaws in an API by telematics maker SiriusXM, for example, allowed an outsider to send commands to a vehicle using SiriusXM software with nothing more than knowledge of the vehicle’s VIN identification number – which can be viewed through the windshield.
T-Mobile: network wasn’t hacked
T-Mobile blamed the attack on a “bad actor” who “first retrieved data through the impacted API starting on or around November 25, 2022.” The company said it is investigating the incident and has notified both law enforcement and federal authorities. T-Mobile has also notifying customers whose information may have been exposed, the company said.
The company took pains in its statement to clarify that its corporate network had not been compromised, even as data on millions of its customers flowed into the hands of unknown cyber attackers. “The malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” T-Mobile said. It also clarified that customer financial information, such as credit card numbers, were not exposed via the API.
Investments in cybersecurity ‘making progress’
The breach is the second major incident affecting T-Mobile in as many years. In the 2021 incident, hackers obtained access to a company database server that was exposed to the public Internet. Attackers obtained IMEI data, which can uniquely identify and locate a cellphone user, going back to 2004. The company paid $350 million to settle a class action suit stemming from that breach in July. It also agreed to invest $150 million to improve cybersecurity in 2022 and 2023, according to an SEC filing.
On Thursday, the company said it is in the process of making those investments and working with “As we have previously disclosed, in 2021, we commenced a substantial multi-year investment working with ”leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity.”
T-Mobile says it is making “substantial progress” on that – appearances to the contrary.
We will continue to follow this story as it evolves.