T-Mobile has disclosed a new, enormous breach that occurred in November, which was the result of the compromise of a single application programming interface (API). The result? The exposure of the personal data of more than 37 million prepaid and postpaid customer accounts.
For those keeping track, this latest disclosure marks the second sprawling T-Mobile data breach in two years and more than a half-dozen in the past five years.
And they’ve been expensive.
Last November, T-Mobile was fined $2.5 million for a 2015 data breach by the Massachusetts attorney general. Another 2021 data leak cost the carrier $500 million; $350 million in payouts to affected customers, and another $150 million pledged toward upgrading security through 2023.
Now the telecom giant is mired in yet another cybersecurity incident.
T-Mobile’s Cybersecurity Snafu
The threat actor who claimed to be behind the 2021 breach of 54 million T-Mobile customers, past, present and prospective, John Binns, bragged in an interview with the Wall Street Journal that T-Mobile’s “awful” security made his job easy.
But an infrastructure like T-Mobile’s means it’s tough to cover the entire attack surface, making their systems particularly complicated to shore up, Justin Fier, senior vice president for red-team operations with Darktrace, tells Dark Reading.
“Like most big brands, T-Mobile has a very complex and sprawling digital estate,” Fier explains. “It is becoming harder by the day to gain visibility into every aspect of that estate and make sense of the data, which is why we’re increasingly seeing