Early this month, one of the largest wireless network operators in the United States, T-Mobile, filed a disclosure notice to the SEC that a breach was discovered in its networks. This breach, which impacted over 37 million customers, was carried out by a hacker able to access the data through a single Application Programming Interface (API). Financial data was not compromised, the ongoing investigation found, but customers’ personal identifiable information (PII) including names, addresses, emails, and phone numbers was obtained in the breach.
This is not the first time that T-Mobile has suffered a significant data breach and only recently settled a $350 million settlement for a previous incident that occurred in 2021. As part of that settlement, it also committed an additional $150 million to security upgrades. The 2021 breach was carried out by a 21-year-old American who gained access to the organization through an unprotected router who said then that the security at T-Mobile was “awful.”
APIs, which are critical for businesses to connect services and transfer data, are found in customer, partner, and internal-facing applications and inherently expose application logic and PII, making them a prime target for attackers and a priority for cybersecurity teams. Attacks on this kind of network infrastructure are becoming increasingly common, so it is not surprising to see such a high-profile instance in T-Mobile.