A hacker leveraged an Application Programming Interface (API) to steal the personal information of 37 million customers over two months, undetected, from American cellular carrier T-Mobile.
The acknowledgment by the carrier in a filing Thursday with the U.S. Securities and Exchange Commission comes six months after it agreed to settle a class action lawsuit over a 2021 data breach involving the personal information of just over 76 million customers. An attacker accessed the carrier’s testing environments, then used brute force attacks and other methods to get into other IT servers that included customer data.
As a result of that 2021 hack, T-Mobile said, it started “a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity. We have made substantial progress to date, and protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cybersecurity program.”
In its regulatory filing, T-Mobile said that on Jan. 5 it discovered that a “bad actor was obtaining data through a single Application Programming Interface” in a compromise that started Nov. 25, 2022.
It didn’t explain how the API was exploited.
“We promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it. Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network.”
“Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, based on our investigation to date, customer accounts and finances were not put at risk directly by this event. The API abused by the bad actor does not provide access to any customer payment card information (PCI), social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information, so none of this information was exposed. Rather, the impacted API is only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features.”
An API lets a product or service communicate with other products and services, but as Red Hat notes, they also allow organizations to share data with customers and other external users. IBM points out that an API allows users to log into several sites using their Google or Twitter credentials, and travel booking sites to aggregate thousands of flights. However, F5 Networks writes that APIs have to be secured from injection, cross-site-scripting, man-in-the-middle and other attacks through strong authentication.
Ilia Kolochenko, founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, said that unprotected APIs are rapidly becoming one of the primary sources of disastrous data breaches. “The situation is aggravated by shadow IT that now encompasses not only the forgotten, abandoned, or undocumented APIs and web services but also the full spectrum of accidentally exposed APIs from test and pre-production environments that may be hosted or managed by numerous third parties that have privileged access to sensitive corporate data.”
Given that the exfiltration of 37 million customer records was not detected and blocked by the anomaly detection system, he suspects the breached API belonged to the unknown and thus unprotected shadow assets.
While the financial data of the customers is reportedly safe, he added, what the hacker got can be used by cybercriminals for sophisticated spear phishing attacks.
“In view of the previous security incidents implicating T-Mobile,” he also said, “legal consequences for this data breach may be pretty harsh – courts and regulators will be unlikely to be lenient when considering monetary and other available sanctions.”