Yesterday, the mobile giant T-Mobile says it suffered a data breach starting November 26, affecting 37 million existing customers on both prepaid and postpaid accounts. The company said in a US Securities and Exchange Commission filing that a “bad guy” manipulated one of the company’s application programming interfaces (APIs) to steal names, email addresses, phone numbers, billing addresses, dates of birth, account numbers, and expenses. customer service package. The initial breach occurred in late November, and T-Mobile discovered the activity on January 5.
T-Mobile is one of the largest mobile service providers in the United States and is estimate to have more than 100 million customers. But in the past 10 years, the company was notorious for its repeated data breaches along with other security incidents. The company had a major breach in 2021, two violate in 2020, one of 2019and another one in 2018. Most major companies struggle with digital security, and no one is immune to data breaches, but T-Mobile seems to be approaching companies like Yahoo in the temple of repeated compromises.
“I’m really disappointed to hear that after so many breaches they’ve had, they still haven’t been able to get the ship back on track,” said Chester Wisniewski, technical director of applied research at the security firm. your leak”. Sophos. “What is worrisome is that the criminals were in T-Mobile’s system for more than a month before being discovered. This shows that T-Mobile’s defenses don’t use state-of-the-art security surveillance and threat hunting teams, as you might expect to find in a large enterprise like a mobile network operator. .”
Due to limitations to the API (the interface that facilitates communication between two software programs), attackers do not have access to Social Security numbers or tax IDs, driver’s license data, passwords and PIN or financial information such as payment card data. However, that data has been compromised in recent T-Mobile breaches, including one in August 2021. In July 2022, T-Mobile agreed to settle a class-action lawsuit for that breach in a settlement that included $350 million for customers. At the time, the company also committed to a two-year, $150 million initiative to improve its digital security and data protection capabilities.
T-Mobile, which did not respond to multiple requests for comment from WIRED, wrote in its SEC disclosure that in 2021, “We have initiated a substantial multi-year investment in working with experts to leading outside cybersecurity experts to strengthen our cybersecurity capabilities and transform our approach to cybersecurity. We’ve made significant progress to date, and protecting our customers’ data remains a top priority.”
Obviously that’s not enough, given the recent incident that exposed the data of about a third of the company’s US-based customers.
“How many of these must T-Mobile have?” Jake Williams, a longtime incident responder and analyst at the Institute for Applied Cybersecurity, wondered. “API security is just starting to become something people are really focused on, which is a mistake. Detecting API abuse is not easy, especially if the threat agent is moving low and slow. I suspect a large number of these simply go undetected in general. But the bottom line is that T-Mobile’s API security clearly needs to work. You should not abuse the bulk API for more than six weeks.”
