T-Mobile U.S. confirmed in a regulatory filing that it has suffered a cyber attack, in which data for approximately 37 million current postpaid and prepaid customer accounts were stolen.
According to the company, there is currently no evidence of breach or compromise to its systems or network. The telecom major is in the process of informing impacted customers that a bad actor used a single Application Programming Interface (API) to obtain limited types of information on their accounts.
In a filing with the U.S. Securities and Exchange Commission, T-Mobile said the impacted API was able to provide some basic customer information, including name, billing address, email, phone number, date of birth, T-Mobile account number and information regarding the number of lines on the account and plan features.
However, no passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.
T-Mobile said that on Jan. 5, it identified that a bad actor was obtaining data through a single API without authorization. The company said that through an investigation with external cybersecurity experts, it was able to trace the source of the malicious activity and stop it within 24 hours.
The investigation is still ongoing, but the malicious activity appears to be fully contained at this time.
It is now believed that the bad actor first retrieved data through the impacted API starting on or around November 25, 2022. T-Mobile said it has notified certain federal agencies about the incident and concurrently working with law enforcement.
The company said at present it doesn’t expect that the incident will have a material effect on its operations.
"We understand that an incident like this has an impact on our customers and regret that this occurred,” T-Mobile said in a statement. “While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cybersecurity program.”
This is the fifth disclosed breach of T-Mobile breach since 2018. Prior to the August 2021 intrusion, the company disclosed breaches in January 2021, November 2019 and August 2018 in which customer information was accessed.
The highly publicized incident in 2021 that comprised data on 76 million customers led the company to paying $350 million in a class action lawsuit settlement to lawyers and customers.
Company promised changes
At the time, the company issued a statement that said it had doubled down on security by creating a Cybersecurity Transformation Office that directly reports to the T-Mobile CEO; collaborating with cybersecurity firms to “further transform our cybersecurity program;” ramping up employee cybersecurity training; and investing “hundreds of millions of dollars to enhance our current cybersecurity tools and capabilities.”
Security officials weighed in on the T-Moble attack this week.
Approov CEO Ted Miracco said all signs point to a state-sponsored attack based on the magnitude of data stolen and the period of time involved in exfiltrating the data. He said currently deployed security technologies in mobile applications “are just small speed bumps for the experienced hackers” that are increasingly using man-in-the-middle attacks (MitM) and API Keys to gather richer troves of data including the full range of not just PII.
“Was this attack preventable? Yes, but that would require a serious commitment and the corresponding investments in protecting clients’ data,” Miracco said. “It is very unfortunate that there is little accountability for these breaches. We live in an environment where companies would rather apologize for a data breach, and then offer their clients one year of free credit monitoring services, than invest in cyber security solutions that might have contained the breach before 40 million records were exfiltrated.
“The bottom line is that companies like T-Mobile are focused on their bottom lines, and it is more cost effective to apologize than to correct the systemic problems in these cases. We need to make sure that API security is prioritized, and we should start with the mobile devices as these are the easiest to hack and as demonstrated, are poorly protected.”
'Enough data to do anything'
Brad Hong, customer success lead at Horizon3ai, questions how much of the pledged money was actually pulled out of the company’s bottom line to add to its “war chest for cyber.
“From the attacker’s perspective, for example, with just the intelligence gathered from the recent Experian in tandem with this data breach, there’s not much else needed to commit crimes,” Hong said.
“There’s enough data to do anything from SIM swaps and refined targeting for phishing, all the way to identity theft and credit card and wire fraud. What other authoritative source of identity is left for the average consumer to use to verify who they are, when the supposed gatekeepers of our most sensitive data keeps failing to defend it, let alone notify them so as to protect themselves preemptively?”
Justin Fier, senior vice president of Red Team Operations from Darktrace, said there is an ongoing problem with API security and credential leaking that is causing several organizations to fall victim these attacks. He noted that no API is perfect, and problems relating to API credential management "are extremely common these days.
Data 'could be weaponized'
"Just last week we saw a high-severity security flaw disclosed in the open source jsonwebtoken (JWT) library that, if successfully exploited, could grant threat actors with a lucrative initial access pathway for staging supply chain attacks," Fier said. "While it's unclear what the API in the T-Mobile attack was used for it would be alarming for an external API to have access to this amount of sensitive PII. We will need to wait for more details on what this API was for."
He adds, "It's encouraging to see T-Mobile being transparent about the potential costs that will be incurred because of this, and it is not common for an organization to make this claim. This could refer to the cost of clean-up, including lawsuits with customers affected, or SEC fines incurred for the breach.
"The type of data set obtained in this attack is highly sensitive and when used in combination, could be weaponized for large-scale or targeted identity theft. It is the perfect data set for an intelligence service to leverage in several ways, which is critical when we think about voter security and ongoing geopolitical tensions."
©2023 dpa GmbH. Distributed by Tribune Content Agency, LLC.