T-Mobile discloses a data breach.
N2K logoJan 20, 2023

T-Mobile yesterday disclosed a data breach impacting 37 million customer accounts.

T-Mobile discloses a data breach.

Mobile carrier T-Mobile disclosed a data breach yesterday that affects around 37 million postpaid and prepaid customer accounts, SecurityWeek reports.

Threat actors abuse T-Mobile APIs.

T-Mobile said in a Thursday filing with the US Securities and Exchange Commission (SEC) that the data breach was the work of a malicious actor abusing an API without authorization. The wireless provider claims that the attack, discovered January 5, was stopped within a day of discovery, Bloomberg reports, and that they had pinpointed the source. The carrier says that there is no evidence showing that any other systems were affected, and also did not appear to affect any sensitive data, rather “name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features,” SecurityWeek explains.

Industry comments on the impact to T-Mobile and the implications of API data breaches.

Ivan Novikov, CEO and co-founder of Wallarm, discusses the importance of securing APIs, and how to prepare for and mitigate these types of breaches:

“The T-Mobile breach is a stark reminder of the importance of API security in today's digital landscape. It's important for organizations to understand the unique challenges that come with protecting APIs and utilize technologies specifically designed to mitigate the risk of similar breaches. As organizations continue to accelerate their digital transformation efforts and leverage more and more APIs, it's crucial that they have the right tools and expertise in place to protect their sensitive data. 

“To prepare for and mitigate API security breaches, organizations can take the below five measures:

  1. “Prioritize API security: API security should be a top priority for organizations as unauthorized access through a single API can lead to a significant data breach.
  2. “Regularly review and update security systems and policies: Organizations should regularly review and update their cybersecurity systems and policies to prevent sensitive customer information from being accessed.
  3. “Invest in cybersecurity capabilities: Implementing robust security measures and investing in cybersecurity capabilities can help mitigate the risk of data breaches.
  4. “Have a plan in place for incident response: In the event of a security incident, organizations should have a plan in place to respond quickly and effectively, including notification of customers and relevant authorities.
  5. “Learn from security breaches: It's important for organizations to learn from security breaches by conducting investigations and identifying the root cause and taking appropriate measures to prevent future incidents.”

Neil Mack, CFA, Vice President – Senior Analyst for Moody’s Investors Service, explains the negative credit impact to T-Mobile as a result of this breach and the questions it posits around the company’s cybersecurity practices:

“T-Mobile’s latest announced cybersecurity breach, this time affecting 37 million current postpaid and prepaid customer accounts, is credit negative and raises questions about the company’s cyber risk governance and management practices. While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers, and it could negatively impact customer behavior, cause churn to spike and potentially attract the scrutiny of the FCC and other regulators.”

Dr. Ilia Kolochenko, Founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, notes the increase in API-based data breaches, and the possible legal ramifications T-Mobile may see in the coming future:

“Unprotected APIs are rapidly becoming one of the primary sources of disastrous data breaches. The situation is aggravated by shadow IT that now encompasses not only the forgotten, abandoned, or undocumented APIs and web services but also the full spectrum of accidentally exposed APIs from test and pre-production environments that may be hosted or managed by numerous third parties that have privileged access to sensitive corporate data.

“Given that the exfiltration of 37 million customer records was visibly not detected and blocked by the anomaly detection system, we could suppose that the breached API belonged to the unknown and thus unprotected shadow assets. While the financial data of the customers is reportedly safe, the compromised billing details can be aptly exploited by cybercriminals for sophisticated spear phishing attacks aimed, amongst other things, to steal 2FA tokens from other systems.

“In view of the previous security incidents implicating T-Mobile, legal consequences for this data breach may be pretty harsh – courts and regulators will unlikely be lenient when considering monetary and other available sanctions.”

The T-Mobile incident as a case study in access management.

Added, 10:30 PM, January 20th, 2023.

Lorri Janssen-Anessi, Director, External Cyber Assessments at BlueVoyant, wrote to comment on signs of appropriate access management in the incident:

"The recently reported T-Mobile breach shows the importance of access management. It seems T-Mobile made sure to institute access management for their customer data, only allowing certain levels of data access as necessary. The integration of strong access management into any security program is truly a must. These days, it has become commonplace to ask when organizations will suffer a breach rather than if. Proactive planning and a robust cybersecurity program can surely minimize the impact and ensure both continuity of operations as well as reduced customer impact. Although it has yet to be confirmed, it is possible that this breach is as a result of a third-party which has unfortunately become more frequent than few and far in between. With research already indicating that 98% of enterprises are negatively impacted by breach in the digital supply chain, ensuring the security of your data through all third party interactions must be prioritized."

APIs, and their contribution to an organization's attack surface.

Added, 10:30 PM, January 20th, 2023.

Tom Kellermann, CISM, Senior VP of cyber strategy at Contrast Security, focused on the place APIs have come to occupy in an organization's attack surface:

“APIs have become a gateway for cybercriminals to hijack the digital transformation of companies. T-Mobile is not the first or last major corporation to be attacked in this fashion. We should expect to see APIs increase as an attack vector for a number of reasons: 

  • "The total number of public and private APIs in use is approaching 200 million. 
  • "There is a shift in new development approaches to microservices architecture. 
  • "Shadow APIs abound. 
  • "Hybrid apps spanning on-premises, cloud and serverless environments increase the attack surface.”

Mike Hamilton, founder and CISO of Critical Insight, also picked up on the importance of API security to the incident:

"This is apparently API security that was not addressed, combined with poor ability to detect aberrational behavior. Details are scant and there has been no attribution of the ‘bad actor’, which apparently had access to data for about 10 days before being stopped. In terms of the potential for actual harm for those whose records were disclosed, the threat is likely limited to targeted phishing attacks and using the information to attempt financial fraud, however without actual payment details included in the data this is not a high risk. The data may be monetized by selling in bulk although it’s of little actual value. Most of the data in the theft can be found in public sources and is unlikely to cause legal action from state privacy statutes like the CCPA. However, the FTC has been aggressively enforcing the false claims act, and to the extent that T-Mobile has made representations about controls there may be action there, up to and including a consent decree because of the recurring nature of these incidents. Lastly, the facts as reported may change, and we may find out later there was more information lifted than is being reported now. Also, on the inability to secure data, API security and its friend cloud security posture management are relatively new security products/services, and it’s highly likely that TMUS is looking into them right now."

And Thomas Cope, Chief Security Officer (CSO) at Next DLP, draws comparisons between what happened in the T-Mobile incident and other cases that have gone before:

"The T-Mobile attack here strikes me as very familiar to the moon pig API flaw back in 2016 and more recently the Twitter API flaw. Both of which were large breaches of users' privacy with their names, phone numbers and email addresses being exposed through API skimming attacks. The ICO released an article back in 2018 entitled "Guide to the General Data Protection Regulation (GDPR)" where I feel the current state of these attacks is expressed quite well "You must also ensure that you are aware of the state of technological development in this area and must ensure that your processes and technologies are robust against evolving threats." The tools and skills required to find and exploit these API endpoints are becoming more available and companies are having difficulties building adequate defenses to detect and respond to these types of attacks, resulting in regular exposure of customer data. The regulatory oversight of the ICO and GDPR should hopefully bring a large series of fines along with these privacy breaches which should in-turn feed more investment into security teams to help build better controls to guard APIs against the current and future attacks." Erich Kron, security awareness advocate at KnowBe4, points out that breaches like this one have a cumulative effect that extends beyond the immediate impact of the incident itself:

“Repeated data breaches such as this can have a significant impact on the reputation of organizations, and T-Mobile certainly seems to be an organization that is becoming synonymous with massive data breaches. In this case, an incorrectly configured API was the culprit, however this is indicative of potentially poor processes and procedures with respect to securing tools that have access to such a significant amount of data. By collecting and storing information on such a massive amount of customers, T-Mobile also has a responsibility to ensure it is secure, a responsibility which they have failed with multiple times now.

"While they say that no credit card information or Social Security numbers were stolen, the information taken by the bad actors is a gold mine for social engineers to use to craft email phishing, vishing, or smishing attacks. Using the information they have recovered, it would be very easy to craft attacks that reference information that the customer may feel only T-Mobile would have. This makes the potential victim more likely to trust the communication, possibly leading to financial theft or identity theft.

"The issue helps outline the importance of organizations working toward a deeply permeating and widely spread strong security culture. This is not something that will change in a day, however if T-Mobile wishes to retain or even regain the trust of its customers, future breaches such as this, whether caused by active cyber attacks or simple misconfigurations, must be stopped.”

Richard Bird, Chief Security Officer at Traceable, thinks that the telecom carrier shouldn't underestimate the magnitude of the incident.

“T-Mobile attempts to greatly minimize the seriousness of the loss of data for 37 million customers by stating that the bad guys didn't actually get anything sensitive or important, but then in the same 8k filing say, ‘We may incur significant expenses in connection with this incident.’ This has become the common practice. Then the company declares that violating the trust of tens of millions of customers is ‘no big deal’ while still acknowledging that these breaches and exploits are bad enough to result in massive costs and damages. Obviously, it can't be both. It can't be a no problem and a big problem at the same time.

"In T-Mobile's own words, they state that they discovered that the bad guys had stolen 37 million user accounts worth of data on January 5th, but they stopped the attack within a day. Except, they also acknowledge that they believe the exploit began on November 25th through API abuse. So, they didn't stop the attack in a day. It took more than 40 days to stop the attack. 

"This then is the disconnect; without API security in place they don't even know when they are being exploited.

"API security is in a woeful state, around the world and across every industry, agency and organization. For 10 years APIs have been exploding in use, with virtually no guard rails to keep them safe. T-Mobile's API breach may seem shocking, but we're seeing tens of millions of customer accounts get snatched by the bad guys nearly weekly. And yet, most companies are still willfully ignoring this crisis.”

Organizations need innovation and transformation, but there can exact a price in security.

Added, 10:30 PM, January 20th, 2023.

Mike Britton, CISO of Abnormal Security, wrote to warn of the dangers of dynamism and transformation. "Companies like T-Mobile don't stay stagnant when it comes to digital transformation and innovation, making it increasingly difficult to create a solid cybersecurity posture, particularly as new tools are added. With a new CISO onboard and 8 disclosed attacks since 2021, they are a prime target for continued attacks, as threat actors often see companies that have publicly disclosed attacks as easier targets. As organizations look to stave off these attacks, cloud infrastructure, API and SaaS repositories and business email compromise (BEC) risks are all prime areas for focus, as these tend to be the most common ways for threat actors to gain initial access."

The importance of taking breach reporting seriously.

Added, 10:30 PM, January 20th, 2023.

Chris Doman, CTO & Co-founder of Cado Security, gives T-Mobile credit for understanding the importance of taking disclosure seriously:

"It's positive to see that T-Mobile takes breach reporting seriously -- although we have seen them report a number of breaches over the last few years. Unauthorized API access can be extremely difficult for organizations to monitor and investigate -- especially for enterprise companies, due to the sheer volume of them. As more organizations are moving data to the cloud, API security becomes even more pertinent with distributed systems. At this point, T-Mobile will have likely reviewed the logs in order to quantify the damage as quickly as possible or they may be at risk of significant fines under GDPR and other legislation. It is key for organizations to ensure they have proper visibility into API access and activity beyond traditional logging especially in the cloud as the threat landscape continues to evolve. For example, there was a vulnerability recently discovered with one of AWS’ APIs that allowed attackers to bypass CloudTrail logging."

Bill Bernard, AVP, Security Strategy at Deepwatch, on the other hand, notes that T-Mobile is no stranger to high-profile breaches. The nature of its business makes this so:

"T-Mobile is a very visible example of a company that gets repeatedly breached. They are so visible in part because their breaches involve PII data, and there are regulatory requirements that they must divulge when that data is breached. In 2022, it was reported that a high percentage of Ransomware impacted organizations get hit a second time. Generally, because being hit isn’t about one lucky attempt, but about larger issues within the organization’s security program that are not up to the task. Fixing these systemic issues is not something that happens overnight, and generally requires significant changes to the organization, including significant investment. We’re liable to note more of these repeated breaches reported as more jurisdictions create breach reporting laws and requirements, making it harder for organizations to hide any type of breach. We also need to recognize that cybersecurity is a business issue: companies must commit to it at the board level or it will never receive the attention it needs to be effective in this day and age. Gone are the days of thinking a good antivirus package and a firewall is enough to protect your organization."

The T-Mobile breach and its potential for exploitation in social engineering.

Added, 3:45 PM, January 23rd, 2023.

Chris Lehman, CEO of SafeGuard Cyber, draws attention to the potential breaches of this kind hold for social engineering attacks (phishing, vishing, and so on):

“The data listed on the dark web after a breach like this is just fuel for social engineering attack fire. This latest T-Mobile breach should serve as a reminder that we must rethink the potential impact data breaches can have not just on the company who suffered the breach but other companies as well. Breaches tied to large companies like T-Mobile are no longer singular events and are interconnected because more data flooding the marketplace empowers other criminals and hacker groups to launch sophisticated cyber and social engineering attacks against other companies. The threats facing other companies actually compound with each new breach. It's time companies start reading the headlines with employees in mind. More breaches are on the way. Don't breathe a sigh of relief. Make it a part of your standard protocols to survey your workforce to find out if anyone has been affected by recent breaches. Using this approach can protect your enterprise from attacks by neutralizing the tip of the spear, adapting to the compounding risks posed by new breaches.”