Cyber security experts have warned that T-Mobile customers could face increased phishing attacks after a data breach exposed millions of customer records.
The US telecoms provider revealed yesterday that it is investigating a security incident after discovering “unusual activity” on 5 January.
A “preliminary” investigation by the company found that the threat actor(s) took advantage of an API vulnerability to obtain data on 37 million customers.
Data exposed in the breach included account holder names, email addresses, phone numbers dates of birth, billing addresses, and account numbers.
However, the company insisted that no information was exposed that could “compromise the safety of customer accounts or finances”.
“As soon as our teams identified the issue, we shut it down within 24 hours. Our systems and policies prevented the most sensitive types of customer information from being accessed, and as a result, customer accounts and finances should not be put at risk directly by this event,” T-Mobile said in its advisory.
“No passwords, payment card information, social security numbers, government ID numbers or other financial account information were compromised.”
T-Mobile added that there is currently “no evidence” to suggest the threat actor(s) breached or compromised its network or systems. However, the firm warned that the culprit could have been stealing data as far back as 25 November.
Dr Ilia Kolochenko, founder of ImmuniWeb, warned that although critical financial data was not stolen in this data breach, the incident could still create significant risks for customers.
Access to customer names and email addresses could be harnessed by threat actors to conduct targeted phishing campaigns in months to come.
“While the financial data of the customers is reportedly safe, the compromised billing details can be aptly exploited by cyber criminals for sophisticated spear phishing attacks aimed, amongst other things, to steal 2FA tokens from other systems,” he said.
Alexander Heid, chief research and development officer at SecurityScorecard echoed Kolochenko’s comments, but added that this latest breach pales in comparison to previous incidents.
"It was unauthorised access on a web application/API that leaked customer data that could be useful in phishing or spamming - and does not seem to be as serious as previous T-Mobile breaches from recent years leaked SSN numbers.”
API vulnerabilities rising
API vulnerabilities have escalated significantly in recent years as businesses globally continue to embed applications within their service offerings.
Research last year found that 95% of companies had encountered some form of API-related security incident between April 2021 and 2022. A similar study from Imperva revealed that API vulnerabilities cost businesses $75 billion (£60.6 billion) each year.
Gartner’s API Security and Management report last year predicted that, across 2023, APIs will become the most frequent attack vector for threat actors globally.
The consultancy also believes that more than half of data theft will come as a result of insecure or vulnerable APIs.
Kolochenko warned that unprotected APIs are “rapidly becoming one of the primary sources of disastrous data breaches” and creating serious challenges for global businesses.
“The situation is aggravated by shadow IT that now encompasses not only the forgotten, abandoned, or undocumented APIs and web services but also the full spectrum of accidentally exposed APIs from test and pre-production environments that may be hosted or managed by numerous third parties that have privileged access to sensitive corporate data,” he said.
T-Mobile's string of breaches
This incident marks the latest in a string of eight data breaches for T-Mobile in the last five years.
In 2021, a cyber attack on the telecoms provider compromised personal data belonging to around 50 million customers.
Two years prior, hackers compromised internal company networks and stole the personal data of more than a million US customers. This cyber attack came just one year after an “international group” was found to have compromised systems and obtained customer data.
At the time, T-Mobile said this affected 3% of its 77 million-strong customer base, amounting to around 2.3 million users.
A spokesperson for the US Federal Communications Commission (FCC) told the Wall Street Journal that the incident could prompt an official investigation.
In its statement yesterday, T-Mobile said the company plans to invest heavily in its internal cyber security capabilities to prevent future incidents from occurring.
“While we, like any other company, are unfortunately not immune to this type of criminal activity, we plan to continue to make substantial, multi-year investments in strengthening our cyber security programme.”
