T-Mobile failed to secure API in latest hack
T-Mobile reported that a "bad actor" was able to obtain information on millions of its customers through an application programming interface (API) into its systems.
Friday's announcement follows almost half a dozen other hacks into T-Mobile's systems over the past several years. The most recent, disclosed in 2021, cost T-Mobile at least $400 million and prompted the carrier to spend another $150 million on "data security and related technology in 2022 and 2023."
However, it appears that money didn't secure the API that T-Mobile said hackers began accessing in November. According to a T-Mobile SEC filing, the hackers walked away with names, billing addresses, emails, phone numbers and dates of birth from around 37 million customer accounts.
The hackers also got T-Mobile data including customers' account numbers and service plan details. The operator said it discovered the breach on January 5 and then shut down access to the API.
"No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised," T-Mobile said in a statement. "We understand that an incident like this has an impact on our customers and regret that this occurred. While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program."
T-Mobile also told the SEC: "Although we are unable to predict the full impact of this incident on customer behavior in the future ... we presently do not expect that it will have a material effect on the company's operations."
However, analyst Neil Mack, with Moody's Investors Service, wrote in a statement to media that the frequency of breaches at T-Mobile is cause for concern.
"T-Mobile's latest announced cybersecurity breach ... is credit negative and raises questions about the company's cyber risk governance and management practices," he wrote. "While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers, and it could negatively impact customer behavior, cause churn to spike and potentially attract the scrutiny of the FCC and other regulators."
FCC gets involved
According to The Wall Street Journal, the FCC is investigating the matter. That's not surprising, considering the agency this month moved forward on rules that would eliminate a seven-business-day waiting period for network operators to notify customers of security breaches. The rules would also require carriers to report inadvertent but harmful data breaches, and to immediately notify the FCC of such intrusions.
Indeed, just this week FCC Chairwoman Jessica Rosenworcel gave a high-profile speech on security in wireless networks.
"Right now the agency is doing more to address network security than at any point in its history," she said. "It's a strategy to deter, defend, and develop: deter bad actors, defend against untrusted vendors, and develop a market for trustworthy innovation. By doing this, we are working to help improve communications security at home and shine as an example for the rest of the world."
T-Mobile isn't the only company to be hit with cyberattacks. For example, Yum Brands – which owns fast food chains Pizza Hut and Taco Bell – announced this week that a ransomware attack forced it to close nearly 300 restaurants in the UK for a day.
And in the telecom industry, more than a dozen mobile network operators have been infiltrated by a hacking group called LightBasin since 2019, according to one report.
How secure are APIs?
But the fact that T-Mobile's latest hack involved one of the company's APIs is noteworthy because most telecom operators are working to open up such portals into their core network functions.
Dish Network recently opened a developer portal that promises to offer a wide range of APIs into its expanding 5G network. Categories of APIs include "connectivity service," "service observability" and "in-network cloud service."
Many of the Dish APIs are listed as "coming soon," but the company is currently offering several others for "subscriber provisioning service" (SPS), which Dish said can "allow your admin to register, activate and manage your devices via API."
The targeting of APIs in T-Mobile's most recent hack sparked plenty of commentary among security experts.
"Unauthorized API access can be extremely difficult for organizations to monitor and investigate – especially for enterprise companies, due to the sheer volume of them," said Chris Doman, CTO of security company Cado Security, in a statement distributed to media. "As more organizations are moving data to the cloud, API security becomes even more pertinent with distributed systems. It is key for organizations to ensure they have proper visibility into API access and activity beyond traditional logging especially in the cloud as the threat landscape continues to evolve."
And Lewis Duke, a security engineer at security company Trend Micro, said APIs are increasingly becoming targets for hackers.
"The issue is, a large number of APIs may exist that an organization may not be aware of from old dev environments," Duke said in a statement distributed to media. "The key to API security is to ensure that basic controls around authorization at the object and user level are understood and correctly applied as well as ensuring that only the minimum data that is required is exposed in responses to API requests."
- Dish begins publishing APIs, courting developers for 5G
- Hacking group LightBasin broke into at least 13 mobile networks – report
- T-Mobile to take $400M hit from hacking settlement