A hacker took advantage of an application programming interface (API) from US cellular carrier T-Mobile to steal the personal information of 37 million customers in two months.
acknowledgment by carrier In a filing Thursday with the US Securities and Exchange Commission comes six months after agreeing to settle the class action lawsuit Data breach related to personal information of over 76 million customers in 2021. An attacker penetrated the carrier’s test environmentsThen used brute force attacks and other methods to get into other IT servers that contained customer data.
As a result of that 2021 hack, T-Mobile said, it “began a multi-year investment working with leading external cyber security experts to enhance our cyber security capabilities and transform our approach to cyber security. We “We’ve made substantial progress so far, and protecting our customers’ data remains a top priority. We will continue to make substantial investments in strengthening our cyber security program.”
In its regulatory filing, T-Mobile said it learned on January 5 that a “bad actor was obtaining data through a single application programming interface” in a settlement that began on November 25, 2022.
It did not specify how the API was exploited.
“We immediately launched an investigation with external cyber security experts and within a day of learning about the malicious activity, we were able to locate and block the source of the malicious activity. Our investigation is still ongoing, but the malicious activity is fully contained at this time, and there is currently no evidence that a bad actor was able to breach or compromise our systems or our network.
“Our systems and policies prevented access to the most sensitive types of customer information, and as a result, based on our investigation, customer accounts and finances were not directly put at risk by this incident. The API abused by the bad actor does not provide access to any customer payment card information (PCI), social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information, so these include None of the information was revealed. Rather, the affected API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features.
An API lets a product or service communicate with other products and services, but as Red Hat notesThey also allow organizations to share data with customers and other external users. IBM explains That an API allows users to log into multiple sites using their Google or Twitter credentials and travel booking sites to aggregate thousands of flights. Although, F5 network writes that the API must be secured From injection, cross-site-scripting, man-in-the-middle and other attacks through strong authentication.
Ilya Kolochenko, founder of Immunoweb and a member of the Europol Data Protection Experts Network, said that insecure APIs are increasingly becoming one of the primary sources of catastrophic data breaches. “The situation is exacerbated by shadow IT, which now includes not only forgotten, abandoned, or undocumented APIs and Web services but also the full spectrum of accidentally exposed APIs from test and pre-production environments that May be hosted or managed by multiple third parties who have exclusive access to sensitive corporate data.”
Noting that the exfiltration of 37 million customer records was not detected and blocked by the anomaly detection system, they suspect that the breach API is related to unknown and thus vulnerable shadow assets.
While customers’ financial data is reportedly safe, he said, what the hacker found could be used by cybercriminals to conduct sophisticated spear phishing attacks.
“In light of previous security incidents affecting T-Mobile,” he also said, “the legal consequences of this data breach could be very harsh – with courts and regulators likely to relent when considering monetary and other available sanctions.” Won’t.”