T-Mobile reported a major new breach in November as a result of a unified application programming interface (API) compromise. Result? Exposing the personal data of more than 37 million prepaid and postpaid customer accounts.
For those watching, this latest disclosure marks the second massive T-Mobile data breach in two years and more than half a dozen in the past five years.
And they were expensive.
Last November, the Massachusetts Attorney General fined T-Mobile $2.5 million for a data breach in 2015. Another data breach in 2021 cost the carrier $500 million; $350 million in payments to affected customers and another $150 million in security improvements through 2023.
Now the telecommunications giant is mired in yet another cybersecurity incident.
Cyber Security T-Mobile Snafu
The attacker who claimed to be behind the hack of 54 million T-Mobile customers in 2021, past, present and potential, John Binns, boasted in an interview with the Wall Street Journal that T-Mobile’s “terrible” security made his job easier.
But an infrastructure like T-Mobile’s means it’s hard to cover the entire attack surface, making their systems particularly difficult to maintain, says Justin Fier, senior vice president of red team operations at Darktrace, Dark Reading.
“Like most major brands, T-Mobile has a very complex and extensive digital real estate,” Fier explains. “It’s getting harder every day to gain insight into every aspect of this property and make sense of the data, which is why we’re increasingly seeing firms using technology to fill this role.”
However, he adds that cracking the vulnerable API does not require much knowledge on the part of the attacker.
In addition to weak API security, Mike Hamilton, director of information security at Critical Insight, told Dark Reading that this latest hack also demonstrates a lack of network visibility and the ability to detect abnormal behavior.
“Details are scarce, and there was no attribution of an “intruder” who appeared to have had access to the data for about 10 days before being stopped,” says Hamilton.
T-Mobile’s next fight with the regulator
In disclosing the cybersecurity incident, T-Mobile downplayed the stolen account, adding that the data was “underlying” and “widely available in marketing databases.” While it may seem like a glib disregard for the impact on its customers, the distinction could protect the company from government regulators, Hamilton adds.
“Data can be monetized by selling it in bulk, although it has no real value,” says Hamilton. “Most of the theft data can be found in public sources and is unlikely to result in legal action due to state privacy laws such as the CCPA (California Consumer Protection Act).”
However, T-Mo could be in big trouble in Europe with GDPR and Information Commissioner’s Office (ICO) regulators in the UK, explains Tim Cope, CIO of NextDLP, Dark Reading. He adds that such sanctions will ultimately encourage investment in the necessary cybersecurity defenses.
“Regulatory oversight of ICOs and GDPR should hopefully lead to a lot of fines along with these privacy breaches,” Cope says, “which in turn should attract more investment in security teams to help create better controls.” to protect the API from current and future attacks.”