U.S. mobile carrier T-Mobile has reported a cyberattack, confirming that 37 million customers were impacted by the data breach.
T-Mobile issued a statement on the matter:
“We are currently in the process of informing impacted customers that after a thorough investigation we have determined that a bad actor used a single Application Programming Interface (or API) to obtain limited types of information on their accounts. As soon as our teams identified the issue, we shut it down within 24 hours. Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances should not be put at risk directly by this event. There is also no evidence that the bad actor breached or compromised T-Mobile’s network or systems."
T-Mobile stated that no information was obtained for impacted customers that would compromise the safety of customer accounts or finances, but that the company wanted to be transparent with its customers and ensure they were aware.
How Serious Was the Attack?
No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised, T-Mobile said. Some basic customer information was obtained, nearly all of which is the type widely available in marketing databases or directories. The information included name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features.
Further commenting, T-Mobile said:
“We understand that an incident like this has an impact on our customers and regret that this occurred. While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program."
Cyber Expert Adds Perspective
Commenting on the T-Mobile hack, Dirk Schrader, vice of Security Research for private IT security software provider Netwrix, described APIs as “highways to a company’s data” — highly automated and allowing access to large amounts of information.
“As digitalization heavily relies on this kind of automated interaction using APIs, and time-to-market often trumps security, the risk related to unmonitored APIs is likely to grow even more,” Schrader said.
Typically, mid-size organizations and enterprises have tens or hundreds of APIs in their infrastructure. With these technologies implemented, organizations lack to use mutual authentication, according to Schrader.
“Additionally, when there are no controls in place that monitor the amount of data left by the domain via the API, it results into no control over the customers’ data,” he said.
The type of data exfiltrated in T-Mobile’s case is set to allow ransomware gangs like the Cuba ransomware (CISA alert #AA22-335A) or any other ransomware group to improve the credibility of phishing emails send to potential victims, Schrader explained. Therefore, such a dataset would also be of interest for malicious actors. These so-called initial access brokers focus on collecting initial inroads to personal computers and company networks.
“Simply put, these actors merge data from several leaks, like the one that happened to Twitter recently, to come up with an even more convincing story for the upcoming phishing attack,” he said.
Schrader advised that T-Mobile should embed tight control over who is using the APIs at what time and rate. He recommended zero trust as the best approach to reduce the attack surface in this situation because it restricts access to resources from both inside and outside of the network until the validity of the request is confirmed.