U.S. Telecommunications giant T-Mobile disclosed on Thursday that hackers obtained data on 37 million customers through a vulnerable API (application program interface). The disclosure was included in an 8-K filing with the U.S. Securities and Exchange Commission.
The incident is just the latest affecting the company and comes less than two years after a serious breach that exposed data on some 77 million customers, which was then put up for sale in hacker forums.
Names, emails, phone numbers exposed by T-Mobile
The data exposed includes customers’ names, billing addresses, emails, phone numbers, and dates of birth. The attack also revealed T-Mobile account numbers and information on the customers’ T-Mobile plans, the company said.
T-Mobile first became aware of the incident on January 5th, when the company determined that “a bad actor was obtaining data through a single Application Programming Interface (‘API’) without authorization.” The attackers appear to have had access to the company’s data starting on November 25th, according to the filing.
Leaky APIs sow havoc…again
APIs are a growing security risk for organizations as digital transformation sees organizations embracing cloud-based applications and services, in place of on-premises hardware and software. APIs are the glue that holds such infrastructure together: facilitating and standardizing programatic access to those services. However, if not properly designed, deployed and monitored, APIs can provide malicious actors with easy access to sensitive systems and data.
A team of