The personal information of 37 million T-Mobile customers was stolen by hackers

The criminals exploited an API to obtain customer information, including their names, billing addresses, email addresses, telephone numbers, dates of birth, and account numbers.

T-Mobile and millions of its customers have been subjected to yet another data breach - apparently perpetrated by hackers who were able to exploit a programming interface used by the company.

The breach was disclosed by T-Mobile in a filing with the U.S. Government on January 19. A Securities and Exchange Commission report stated that the impacted API provided hackers with 37 million current postpaid and prepaid customer names, billing addresses, email addresses, phone numbers, dates of birth, and account numbers.

Details of T-Mobile's SEC filing

In its filing, the company did not identify the affected API or explain how hackers might exploit it. Fortunately, T-Mobile had no reports of any other personal information being leaked, including payment card numbers, social security numbers, driver's license numbers, passwords, or PINs.

According to the carrier, the breach began on or around Nov. 25 last year. Upon discovering the malicious activity, the company stopped it within a day and is currently working with law enforcement to investigate further.

T-Mobile is not new to data breaches

It is not uncommon for T-Mobile to suffer data breaches and hacks. The company has experienced several security incidents over the past several years, including a bug on its website in 2018 that permitted anyone to access customer information and a breach in 2021 that exposed the personal information of almost 50 million people. Furthermore, the Lapsus cybercrime group perpetrated several cyberattacks in March 2022.

According to T-Mobile's SEC filing, the company launched a "significant multi-year investment" in 2021 to improve its cybersecurity capabilities by working with external security providers. Despite having made substantial progress, the company noted that it would continue investing to strengthen its cybersecurity measures.

A misconfigured API caused the data breach at T-Mobile

As Erich Kron, security awareness advocate at KnowBe4, noted, repeated data breaches such as this can negatively impact the reputation of organizations. An incorrectly configured API caused this incident; however, this indicates potentially insufficient processes and procedures concerning securing tools that have access to such a substantial amount of information.

Since T-Mobile collects and stores such an extensive amount of information about its customers, the company also has a responsibility to ensure that it is secure, a responsibility they have failed to fulfill on numerous occasions.

An API serves as a communication interface between systems or applications in a system or application context. However, due to their widespread use within organizations, they have become a tempting target for cybercriminals. It is possible for hackers to gain direct access to critical data and assets of an organization via API scraping attacks.

Netwrix's Dirk Schrader, VP of security research, described APIs as "highways to a company's data.". "If there are no controls that monitor the amount of data left by the domain via the API, there is no control over customer data."

The stolen customer data from T-Mobile is a goldmine for hackers

Cybercriminals may not have been able to access credit card information or Social Security numbers in this hack. Still, the stolen information constitutes a gold mine for them, according to Kron. They can use this information to design phishing, vishing, and smishing attacks and reference information that a customer may feel is only known to T-Mobile. If the attack is successful, financial or identity theft may result.

It is expected that the type of data exfiltrated in T-Mobile's case will allow ransomware gangs to improve the credibility of phishing emails sent to potential victims," said Schrader. "Such a dataset could also be of interest to malicious actors, also known as Initial Access Brokers, who are interested in gaining initial access to computers and company networks."

Here are some recommendations for T-Mobile customers and organizations that use APIs

Due to this latest breach, T-Mobile customers are strongly advised to change their passwords and be aware of any incoming emails that seem to be from the company or that pertain to T-Mobile accounts. Be sure to carefully review any unexpected or unsolicited emails for typos, errors, incorrect links, or other misleading information.

It is imperative for organizations that use APIs to implement tight controls over who is permitted to use the APIs and at what time and frequency, advises Schrader. By limiting access to resources from both inside and outside the network, a zero-trust approach reduces the attack surface by reducing the attack surface.

"These attacks will continue until organizations commit to reducing and eventually eliminating data silos and copy-based data integration to establish a foundation of control," explained Dan DeMers, CEO and co-founder of Cinchy. In practice, we are talking about a fundamental shift in which CTOs, CIOs, CDOs, data architects, and application developers begin to fully decouple data from applications and other silos to establish a 'zero-copy' data ecosystem.