T-Mobile Breached Again, This Time Exposing 37M Customers' Data - Dark Reading

T-Mobile has disclosed a new, tremendous breach that occurred in November, which was the effect of the compromise of a azygous exertion programming interface (API). The result? The exposure of the idiosyncratic information of much than 37 cardinal prepaid and postpaid lawsuit accounts.

For those keeping track, this latest disclosure marks the 2nd sprawling T-Mobile information breach successful 2 years and much than a half-dozen successful the past 5 years.

And they've been expensive.

Last November, T-Mobile was fined $2.5 cardinal for a 2015 information breach by the Massachusetts lawyer general. Another 2021 information leak outgo the bearer $500 million; $350 cardinal successful payouts to affected customers, and different $150 cardinal pledged toward upgrading security done 2023.

Now the telecom elephantine is mired successful yet different cybersecurity incident.

T-Mobile's Cybersecurity Snafu

The menace histrion who claimed to beryllium down the 2021 breach of 54 cardinal T-Mobile customers, past, contiguous and prospective, John Binns, bragged successful an interrogation with the Wall Street Journal that T-Mobile's "awful" security made his occupation easy.

But an infrastructure similar T-Mobile's means it's pugnacious to screen the full onslaught surface, making their systems peculiarly analyzable to enactment up, Justin Fier, elder vice president for red-team operations with Darktrace, tells Dark Reading.

"Like astir large brands, T-Mobile has a precise analyzable and sprawling integer estate," Fier explains. "It is becoming harder by the time to summation visibility into each facet of that property and marque consciousness of the data, which is wherefore we’re progressively seeing firms thin connected exertion to execute that role."

However, helium adds that breaching a susceptible API doesn't necessitate overmuch know-how connected the portion of an attacker.

Besides anemic API security, Mike Hamilton CISO of Critical Insight, tells Dark Reading that this latest compromise besides demonstrates a deficiency of web visibility and quality to observe abnormal behavior.

"Details are scant, and determination has been nary attribution of the 'bad actor,' who seemingly had entree to information for astir 10 days earlier being stopped," Hamilton says.

T-Mobile's Next Regulator Bout

In the disclosure of the cybersecurity incident, T-Mobile downplayed the stolen relationship information, adding the information was "basic," and "widely disposable successful selling databases." While it mightiness work similar a glib dismissal of the interaction connected its customers, the favoritism could support the institution from authorities regulators, Hamilton adds.

"The information whitethorn beryllium monetized by selling successful bulk, though it's of small existent value," Hamilton says. "Most of the information successful the theft tin beryllium recovered successful nationalist sources and is improbable to origin ineligible enactment from authorities privateness statutes similar the CCPA (California Consumer Privacy Act)."

However, T-Mo mightiness person much occupation successful Europe with GDPR and Information Commissioner's Office (ICO) regulators successful the UK, Tim Cope, CISO of NextDLP, explains to Dark Reading. Penalties similar these yet volition thrust concern successful the indispensable cybersecurity protections, helium adds.

"The regulatory oversight of the ICO and GDPR should hopefully bring a ample bid of fines on with these privateness breaches," Cope says, "which should successful crook provender much concern into information teams to assistance physique amended controls to defender APIs against the existent and aboriginal attacks."