How hackers stole the personal data of 37 million T-Mobile customers
The criminals took advantage of an API to grab personal details such as customer names, billing addresses, email addresses, phone numbers, dates of birth, and T-Mobile account numbers.
T-Mobile and millions of its customers have been the victims of another data breach — this one apparently carried out by hackers who knew how to exploit an application programing interface used by the carrier.
On Jan. 19, T-Mobile revealed the breach in a filing with the U.S. Securities and Exchange Commission, noting that the impacted API provided the hackers with names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and plan features for 37 million current postpaid and prepaid customers.
T-Mobile’s SEC filing details
In its filing, the company didn’t name the API that was affected or explain how the hackers were able to exploit it. Fortunately, the API did not leak other personal data such as payment card numbers, Social Security numbers, driver’s license numbers, passwords, or PINs, according to T-Mobile.
SEE: Mobile device security policy (TechRepublic Premium)
The breach started on or around Nov. 25 of last year, the carrier said, adding that it stopped the malicious activity within a day after discovering it and that it’s currently working with law enforcement to investigate further.
Data breaches not new for T-Mobile
Data breaches and hacks are hardly a new phenomenon for T-Mobile. Over the past several years, the company has suffered several security incidents, including a bug on its website in 2018 that allowed anyone to access customer data, a breach in 2021 that exposed the personal data of almost 50 million people, and a series of breaches carried out by the Lapsus$ cybercrime group in March of 2022.
In its SEC filing, T-Mobile said that in 2021 it kicked off a “substantial multi-year investment” to work with external security providers to improve its cybersecurity capabilities. Claiming that it has “made substantial progress to date,” the company added that it will continue to invest further to strengthen its cybersecurity.
Misconfigured API the culprit of T-Mobile’s data breach
“Repeated data breaches such as this can have a significant impact on the reputation of organizations, and T-Mobile certainly seems to be an organization that is becoming synonymous with massive data breaches,” says Erich Kron, security awareness advocate at KnowBe4. “In this case, an incorrectly configured API was the culprit; however, this is indicative of potentially poor processes and procedures with respect to securing tools that have access to such a significant amount of data.
“By collecting and storing information on such a massive amount of customers, T-Mobile also has a responsibility to ensure it is secure, a responsibility which they have failed with multiple times now.”
An API acts as an interface between different systems and applications to allow them to communicate with each other. However, because of their ubiquity among organizations, they’ve become a tempting target for cybercriminals. By conducting API scraping attacks, hackers can gain direct access to an organization’s critical data and assets.
“APIs are like highways to a company’s data: highly automated and allowing access to large amounts of information,” said Dirk Schrader, VP of security research for Netwrix. “When there are no controls in place that monitor the amount of data left by the domain via the API, it results in no control over customer data.”
T-Mobile’s stolen customer data a gold mine for hackers
Although no credit card details or Social Security numbers were accessed in the hack, the information that was stolen represents a gold mine for cybercriminals, according to Kron. Using this data, they can design phishing, vishing, and smishing attacks and reference information that a customer may feel would only be known to T-Mobile. A successful attack could then lead to financial theft or identity theft.
“The type of data exfiltrated in T-Mobile’s case is set to allow ransomware gangs … to improve the credibility of phishing emails sent to potential victims,” said Schrader. “Such a dataset would also be of interest to malicious actors, so-called Initial Access Brokers, that focus on collecting initial inroads to personal computers and company networks.”
Recommendations for T-Mobile customers and organizations that work with APIs
With this latest breach, T-Mobile customers should not only change their passwords but also be wary of any incoming emails that claim to be from the company or that refer to T-Mobile accounts or information. Scrutinize any unexpected or unsolicited emails for typos, errors, incorrect links and other misleading details.
To prevent these types of attacks, organizations that work with APIs should implement tight controls over who and what is allowed to use the APIs and at what time and frequency, says Schrader. A zero-trust approach is the best way to reduce the attack surface since it limits access to resources from inside and outside of the network until the request can be verified.
“These attacks will keep happening until organizations commit to reduce and ultimately eliminate data silos and copy-based data integration in order to establish a foundation of control,” said Dan DeMers, CEO and co-founder of Cinchy. “In practice, what we’re talking about is a fundamental shift where CTOs, CIOs, CDOs, data architects, and application developers start to decouple data from applications and other silos to establish ‘zero copy’ data ecosystems.”
Organizations that want to pursue this type of silo-based security should look at standards such as Zero-Copy Integration and innovations such as dataware technology, DeMers said. Both of these focus on a data-centric approach based on the principle of control.
Read next: Zero trust: Data-centric culture to accelerate innovation and secure digital business (TechRepublic)