Total Tests:

Compromised API led to data theft of 37 million T-Mobile customers

By Howard Solomon for IT World Canada
Friday, January 20, 2023

An API lets a product or service communicate with other products and services, but as Red Hat notes, they also allow organizations to share data with customers and other external users. IBM points out that an API allows users to log into several sites using their Google or Twitter credentials, and travel booking sites to aggregate thousands of flights. However, F5 Networks writes that APIs have to be secured from injection, cross-site-scripting, man-in-the-middle and other attacks through strong authentication.

Ilia Kolochenko, founder of ImmuniWeb, and a member of Europol Data Protection Experts Network, said that unprotected APIs are rapidly becoming one of the primary sources of disastrous data breaches. “The situation is aggravated by shadow IT that now encompasses not only the forgotten, abandoned, or undocumented APIs and web services but also the full spectrum of accidentally exposed APIs from test and pre-production environments that may be hosted or managed by numerous third parties that have privileged access to sensitive corporate data.”

Given that the exfiltration of 37 million customer records was not detected and blocked by the anomaly detection system, he suspects the breached API belonged to the unknown and thus unprotected shadow assets.

While the financial data of the customers is reportedly safe, he added, what the hacker got can be used by cybercriminals for sophisticated spear phishing attacks.

“In view of the previous security incidents implicating T-Mobile,” he also said, “legal consequences for this data breach may be pretty harsh – courts and regulators will be unlikely to be lenient when considering monetary and other available sanctions.” Read Full Article

Book a Call Ask a Question
Talk to ImmuniWeb Experts
Have a technical question?

Our security experts will answer within
one business day. No obligations.

Have a sales question?
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
Your data will stay private and confidential