T-Mobile failed to secure API in latest hack

T-Mobile reported that a “bad actor” was able to obtain information on millions of its customers through an application programming interface (API) into its systems.

Friday’s announcement follows almost half a dozen other hacks into T-Mobile’s systems over the past several years. The most recent, disclosed in 2021, cost T-Mobile at least $400 million and prompted the carrier to spend another $150 million on “data security and related technology in 2022 and 2023.”

However, it appears that money didn’t secure the API that T-Mobile said hackers began accessing in November. According to a T-Mobile SEC filing, the hackers walked away with names, billing addresses, emails, phone numbers and dates of birth from around 37 million customer accounts.

The hackers also got T-Mobile data including customers’ account numbers and service plan details. The operator said it discovered the breach on January 5 and then shut down access to the API.

“No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised,” T-Mobile said in a statement. “We understand that an incident like this has an impact on our customers and regret that this occurred. While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.”

T-Mobile also told the SEC: “Although we are unable to predict the full impact of this incident on customer behavior in the future … we presently do not expect that it will have a material effect on the company’s operations.”

However, analyst Neil Mack, with Moody’s Investors Service, wrote in a statement to media that the frequency of breaches at T-Mobile is cause for concern.

“T-Mobile’s latest announced cybersecurity breach … is credit negative and raises questions about the company’s cyber risk governance and management practices,” he wrote. “While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers, and it could negatively impact customer behavior, cause churn to spike and potentially attract the scrutiny of the FCC and other regulators.”

FCC gets involved

According to The Wall Street Journal, the FCC is investigating the matter. That’s not surprising, considering the agency this month moved forward on rules that would eliminate a seven-business-day waiting period for network operators to notify customers of security breaches. The rules would also require carriers to report inadvertent but harmful data breaches, and to immediately notify the FCC of such intrusions.

To read the complete article, visit Light Reading.