Roughly 37 million T-Mobile customers have had their information stolen in a data breach, according to a statement published by the company late last night. Fortunately, T-Mobile has said that while hackers accessed names, addresses, and dates of birth, they were not able to access more sensitive information such as Social Security or credit card numbers.
But according to Sam Curry, Chief Security Officer at Cybereason, “what is or isn’t sensitive is an important question to ask. Whether or not sensitive data and financial information was lost, isn’t the point. Customer information is a privilege to hold, not a right; and while it’s great that T-Mobile’s network wasn’t compromised in this instance, and that outright theft wasn’t enabled through loss of direct billing numbers, eroding privacy and making it easier for hackers to compromise identities is still important and sensitive.”
T-Mobile has also revealed the hacker leveraged an application programming interface (API) to obtain the data. This isn’t the first time a major telecom has been hit with a data breach at the hands of an API issue – just last year the Australian organisation Optus suffered a similar fate, being forced to allocate $140m to rectify the issue.
In light of this, many experts have criticised T-Mobile’s response to the attack.
“In its SEC filing, T-Mobile called the attack “malicious” and stated that data attained through its API was done “without authorization.” However, while T-mobile has provided some information related to this API breach, including specific account data, they have provided no technical details. Uncovering an API attack after the fact – in this case, 41 days and 37 million records later – is just not good enough,” said Nick Rago, Field CTO at Salt Security.
“Many questions remain to be answered by T-Mobile about the incident. Was the API known to T-Mobile? Did it require any authentication and authorization to use? Where was the API exposed and what was its business and functional purpose? Without these and other questions answered, it is hard to speculate at this time exactly how the T-Mobile API was exploited by the attacker,” he continued.
An attack of this magnitude was bound to make waves in the industry, and experts are waiting with baited breath for the results of T-Mobile’s investigation.
“It appears that T-Mobile moved quickly and, while the details aren’t yet known, the world is paying attention to the results of this investigation. Hackers are innovative, and companies with valuable data and services are always a target, but it remains to be seen if the compromises in 2023 are similar to the ones suffered by T-Mobile in 2021. Did the company learn from 2021? Was 2023 unique? Was this a case this time around if anyone can fail occasionally or is it worse than that? Only time and the facts will tell us and tell T-Mobile and fellow practitioners what the new lessons-to-be-learned are,” Curry continued.