This time, the mobile phone company claimed, lax API security allowed a threat actor to obtain account information.
The compromising of a single application programming interface led to a brand-new, huge breach that T-Mobile stated happened in November (API). As a result? The disclosure of more than 37 million prepaid and postpaid customers' personal data from their accounts.
For those keeping count, this most recent disclosure represents the second large-scale T-Mobile data leak in the last two years and more than a dozen in the previous five.
And they have been costly.
The Massachusetts attorney general penalized T-Mobile $2.5 million in November of last year for a 2015 data breach. A further data breach in 2021 cost the carrier $500 million, with $150 million dedicated toward security upgrades until 2023 and $350 million paid out to customers who were impacted.
The telecom behemoth is currently involved in a further cybersecurity crisis.
The Cybersecurity Mistake at T-Mobile
Threat actor John Binns boasted in an interview with the Wall Street Journal that T-"poor" Mobile's security made his job simple. Binns claimed to be responsible for the 2021 breach of 54 million T-Mobile subscribers, past, present, and prospective.
According to Justin Fier, senior vice president for red-team operations at Darktrace, it is challenging to defend against every attack vector with an infrastructure like T- T-Mobile's, which makes their systems extremely challenging to secure.
According to Fier, "T-Mobile has a very complicated and expansive digital domain like most major businesses do." Because it is getting more difficult by the day to understand the data and acquire visibility into every area of that estate, businesses are using technology more frequently in this capacity.
He does, however, emphasize that an attacker doesn't need to have much expertise to exploit a weak API.
Mike Hamilton, CISO of Critical Insight, tells Dark Reading that this most recent hack also shows a lack of network visibility and the capacity to recognize aberrant behavior in addition to insufficient API security.
T-Upcoming Mobile's Regulation Battle
T-Mobile minimized the account information that had been stolen in its announcement of the cybersecurity incident, stating that the information was "basic" and "widely available in marketing databases." Although it could appear to be a flippant dismissive of the effect on its clients, Hamilton adds that the distinction could shield the business from state regulators.
Hamilton claims that even while the data has little actual worth, it might still be made money by selling it in bulk. The majority of the stolen data is accessible from public sources, thus state privacy laws like the California Consumer Privacy Act are unlikely to be invoked.
Tim Cope, CISO of NextDLP, informs Dark Reading that T-Mo may experience greater difficulties in Europe due to GDPR and the UK's Information Commissioner's Office (ICO) authorities. He continues by saying that in the end, penalties like these will encourage investment in crucial cybersecurity safeguards.
According to Cope, "the regulatory oversight of the ICO and GDPR should hopefully bring a significant series of fines along with these privacy breaches, which should in turn feed additional investment into security teams to help design better safeguards to secure APIs against the current and future attacks."
_11zon.png)
No comments:
Post a Comment