In a Form 8-K filing with the US Securities and Exchange Commission (SEC), T-Mobile disclosed a breach that affects 37 million customer accounts. The attacker was able to gain access to the information through an Application Programming Interface (API). The intruder first gained access to the data in late November 2022; T-Mobile learned of the breach on January 5, 2023.
Note
- This is T-Mobile’s 8th breach in less than 5 years. Everybody gets breached at some point. But if you get breached 8 times, it may be time to not just look at technology but the overall culture and management of your security organization.
- While T-Mobile’s statement downplays the sensitivity of information obtained, characterizing it as marketing information, the information included name, billing address, email, phone number, date of birth, account number, and information such as the number of lines on the account and service plan features. Take appropriate steps to watch for your information being misused, not just credit monitoring, but also very targeted social engineering.
- APIs are prevalent in today’s modern mobile and web applications and consequently are one of the most frequent attack vectors used by cybercriminals. The Open Web Application Security Project (OWASP) regularly publishes the ten most critical security concerns for web application security. Organizations that provide mobile and web services should become familiar with OWASP and implement the security recommendations provided as part of their software development process.
Read more in
