RISKS
What happened
In January 2023, T-Mobile said a “bad actor” accessed personal data from 37 million current customers in a November 2022 data breach through a single Application Programming Interface (“API”) without authorization. T-Mobile said in a filing with the U.S. Securities and Exchange Commission that the breach was discovered January 5th.
It said the data exposed — based on its investigation to date — included names, billing addresses, emails, phone numbers, dates of birth, T-Mobile account numbers and information describing the kind of service they have with the wireless carrier. T-Mobile said the breach did not include passwords or PINs, bank account or credit card information, Social Security numbers (SSNs) or other government IDs.
As T-Mobile stated to the SEC: “We may incur significant expenses in connection with this incident.”
This is the eighth cyber incident that T-Mobile has identified since 2018. Previous breaches exposed customer call records in January 2021, credit application data in August 2021, and an “unknown actor” accessing customer info and executing SIM-swapping attacks in December 2021. In April of 2022, the hacking group Lapsus$ stole T-Mobile’s source code after purchasing employees’ credentials online.
The August 2021 incident was particularly costly for T-Mobile as it agreed to pay a $500 million settlement for compromising the sensitive personal information (including first and last names, dates of birth (DOB), SSNs, and driver’s license numbers) of more than 76 million current, former, and prospective customers. Out of that $500 million, $350 million was to go to the settlement fund and “at least $150 million” was to go toward enhancing its data security measures through 2023. T-Mobile referenced this effort in the January 2023 filing, stating: “we commenced a substantial multi-year investment working with leading external cybersecurity experts to enhance our cybersecurity capabilities and transform our approach to cybersecurity.” Apparently, it’s a work in progress!
Why is this important?
According to 2022 Cost of a Data Breach Report from IBM, 83% of organizations surveyed have experienced more than one data breach in their lifetime! Data breaches keep happening – and the costs keep escalating – unless you close the vulnerability completely.
What does this mean to me?
The latest breach from T-Mobile was code related. Nearly 50% off the initial breach vector for all breaches is through vulnerabilities in web applications. Organizations need to have secure coding practices and train developers on the OWASP v4.1 standard.
APPROACHES
Helpful Controls
- Secure Coding Practices, OWASP v4.1
- Web Application Firewall (WAF)
- Application Pen testing of code and APIs
Commonality of attack
High
HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, and more that impact your risk management program.
SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING