T-Mobile Pwned By Hackers…. Yet Again

T-Mobile recently revealed in an SEC filing that a hacker stole the personal data of 37 million customers. TechCrunch has the story:

The telecom giant said that the “bad actor” started stealing the data, which includes “name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features,” since November 25.

In the SEC filing, T-Mobile said it detected the breach more than a month later, on January 5, and that within a day it had fixed the problem that the hacker was exploiting.

The hackers, according to T-Mobile, didn’t breach any company system but rather abused an application programming interface, or API.

“Our investigation is still ongoing, but the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network,” the company wrote.

For those keeping score at home, this is the 8th time that T-Mobile has been pwned by hackers. That’s not a good track record.

Edward Roberts, VP Marketing of Neosec had this to say:

“This incident looks like another example of APIs being attacked and highlights the need for organizations to protect this vast and exponentially growing attack surface. APIs by their nature carry an organization’s crown jewels — its data. More organizations are creating and deploying APIs and this API traffic is estimated to be over 80% of all traffic on the internet. Unfortunately, gathering data by scraping a vulnerable API is now a path to a low and slow data breach. It’s alarming that today many organization’s don’t even have an inventory of their APIs let alone know if they are vulnerable. But more important is knowing if there is any abusive traffic on your APIs. Knowing that someone is scraping an API for data is essential.” 

Given that this has happened so often to T-Mobile, they clearly have a whole lot of work to do so that customers can feel that their personal information is being handled in a safe and secure manner.

Leave a Reply

%d bloggers like this: