T-Mobile, the US telecom giant, has announced in a regulatory filing that it has suffered a data breach that has resulted in the loss of data from 37 million customer accounts. The company has said that the hacker was able to gain access to the data via one of its APIs, and that the data obtained by the attacker included names, birth dates and phone numbers.
The company says that the attack occurred around November 25th, 2022, and was discovered on January 5th, but that it believes that the attacker had access to the exploited API for over a month before the breach was detected. T-Mobile has said that the API did not provide access to other sensitive data, such as social security numbers, credit card information, government ID numbers, passwords, PINs, or financial information.
The company has said that it has traced the source of the attack and fixed the exploit within a day of detection. T-Mobile has suffered a number of data breaches in recent years, including an attack in January 2021 which exposed customer call records, and an attack in August 2021 which exposed credit application data.
Gary Ogasawara, CTO of Cloudian shared his thoughts on the attack and what it means for other organizations looking to protect their valuable customer data:
"The recent uncovering of T-Mobile’s ransomware hack and the company’s attempts to retrieve its data is the latest example of why organizations should encrypt sensitive data both in-flight and at rest. Encryption prevents hackers from reading or making data public in any intelligible way, thereby eliminating the need to pay ransom to keep the data from being exploited.
This incident also illustrates that paying a ransom doesn’t guarantee cybercriminals will honor the deal. Our 2021 ransomware survey found that only 57% of organizations that experienced a ransomware attack and paid the ransom got all their data back.
That’s why it’s essential that organizations have an immutable (unchangeable) backup copy of their data as part of their overall cybersecurity strategy. Immutability prevents cybercriminals from altering or deleting data, ensuring the ability to quickly recover the unchanged backup data without paying the ransom."
Dirk Schrader, VP of Security Research at Netwrix, expanded on the importance of securing APIs:
"APIs are like highways to a company’s data: highly automated and allowing access to large amounts of information. As digitalization heavily relies on this kind of automated interaction using APIs, and time-to-market often trumps security, the risk related to unmonitored APIs is likely to grow even more.
Typically, mid-size organizations and enterprises has tens or hundreds of APIs in their infrastructure. With these technologies implemented, organizations lack to use mutual authentication. Additionally, when there are no controls in place that monitor the amount of data left by the domain via the API, it results into no control over the customers’ data.
The type of data exfiltrated in T-Mobile’s case is set to allow ransomware gangs like the Cuba ransomware (CISA alert #AA22-335A) or any other ransomware group to improve the credibility of phishing emails send to potential victims. Such a dataset would also be of interest for malicious actors, so called Initial Access Brokers, that focus on collecting initial inroads to personal computers and company networks. Simply put, these actors merge data from several leaks (like the one that happened to Twitter recently) to come up with an even more convincing story for the upcoming phishing attack.
Not only will these types of phishing emails get better with any personal detail available to the attacker. Tools like ChatGPT will also increase the credibility and efficiency of any campaign rolled out by these groups. Phishing awareness trainings teach users to look for grammar spelling mistakes or story inconsistencies that identify a phishing email. But the more detailed data is available to cyber crooks, the better phishing campaigns their tools produce, the higher their success rate becomes.
Company should embed tight control about who is going to use the APIs at what time and rate. Zero Trust is the best approach to reduce the attack surface in this situation since it restricts access to resources from both inside and outside of the network until the validity of the request is confirmed.”