How hackers stole the personal data of 37 million T-Mobile customers


The criminals used an API to obtain personal information such as customer names, billing addresses, email addresses, phone numbers, dates of birth and T-Mobile account numbers.

Image: Adobe Stock

T-Mobile and millions of its customers have fallen victim to another data breach – this breach was apparently carried out by hackers who knew how to exploit an application programming interface used by the carrier.

On Jan. 19, T-Mobile disclosed the breach in a filing with the U.S. Securities and Exchange Commission, noting that the affected API provided the hackers with names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers and subscription features for 37 million current postpaid and prepaid customers.

Jump to:

T-Mobile’s SEC filing data

In the filing, the company did not name the affected API or explain how the hackers could exploit it. Fortunately, the API did not leak any other personal information, such as payment card numbers, social security numbers, driver’s license numbers, passwords or PINs, according to T-Mobile.

SEE: Mobile device security policies (TechRepublic Premium)

The leak began on or about Nov. 25 last year, the carrier said, adding that it stopped malicious activity within a day of discovery and that it is currently cooperating with law enforcement to investigate further.

Data leaks not new for T-Mobile

Data leaks and hacks are not a new phenomenon for T-Mobile. In recent years, the company has faced several security incidents, including a bug on its website in 2018 that allowed anyone to access customer data, a breach in 2021 that exposed the personal data of nearly 50 million people, and conducted a series of breaches by the cybercrime group Lapsus$ in March 2022.

In its SEC filing, T-Mobile said it was launching in 2021 with a “substantial multi-year investment” to partner with third-party security providers to enhance its cybersecurity capabilities. The company claims it has “made substantial progress to date”, adding that it will continue to invest to strengthen its cybersecurity.

Wrongly configured API the culprit of the T-Mobile data breach

“Repeated data breaches like this can have a significant impact on an organization’s reputation, and T-Mobile certainly looks set to become an organization that is becoming synonymous with massive data breaches,” said Erich Kron, security awareness advocate at KnowBe4. “In this case, a misconfigured API was the culprit; however, this points to potentially poor processes and practices related to securing tools that access such a significant amount of data.

“By collecting and storing information on such a huge number of customers, T-Mobile also has a responsibility to make sure it’s secure, a responsibility they’ve failed several times now.”

An API acts as an interface between different systems and applications to allow them to communicate with each other. However, due to their ubiquity among organizations, they have become a tempting target for cybercriminals. By performing API scraping attacks, hackers can gain direct access to an organization’s critical data and assets.

“APIs are like highways to a company’s data: highly automated and enabling access to vast amounts of information,” said Dirk Schrader, VP of security research for Netwrix. “If there are no controls that monitor the amount of data the domain leaves through the API, it results in no control over customer data.”

T-Mobile’s stolen customer data is a goldmine for hackers

While no credit card information or social security numbers were used in the hack, Kron says the stolen information is a goldmine for cybercriminals. Using this data, they can design phishing, vishing, and smishing attacks and reference information that a customer believes is known only to T-Mobile. A successful attack can then lead to financial theft or identity theft.

“The type of data being exfiltrated in the case of T-Mobile is set to enable ransomware gangs… to improve the credibility of phishing emails sent to potential victims,” said Schrader. . “Such a dataset would also be of interest to malicious actors, the so-called Initial Access Brokers, who focus on collecting initial access paths to PCs and corporate networks.”

Recommendations for T-Mobile customers and organizations that work with APIs

With this latest breach, T-Mobile customers should not only change their passwords, but also be wary of incoming emails claiming to be from the company or referencing T-Mobile accounts or information. Check all unexpected or unsolicited emails for typos, errors, incorrect links, and other misleading details.

To prevent these types of attacks, organizations working with APIs must implement tight controls over who and what is allowed to use the APIs and at what time and with what frequency, Schrader says. A zero-trust approach is the best way to reduce the attack surface, as it restricts access to resources from inside and outside the network until the request can be authenticated.

“These attacks will continue until organizations commit to reducing and ultimately eliminating data silos and copy-based data integration to establish a foundation of control,” said Dan DeMers, CEO and co-founder of Cinchy. “In practice, we are talking about a fundamental shift where CTOs, CIOs, CDOs, data architects and application developers are decoupling data from applications and other silos to create zero copy data ecosystems.”

Organizations looking to pursue this kind of siled security should look to standards like Zero-Copy Integration and innovations like dataware technology, DeMers said. Both focus on a data-centric approach based on the principle of control.

Read next: No trust: data-centric culture to accelerate innovation and secure digital business (TechRepublic)

Leave A Reply

Your email address will not be published.