T-Mobile’s 2023 data breach shows its $150 million security investment isn’t cutting it

Yesterday the mobile giant T-Mobile said there was a data breach on Nov. 26 that affected 37 million current customers, both prepaid and postpaid. The company stated in US Securities and Exchange Commission statement that the “attacker” manipulated one of the company’s Application Programming Interfaces (APIs) to steal customer names, email addresses, phone numbers, billing addresses, dates of birth, account numbers, and service plan details. The initial intrusion occurred in late November, with T-Mobile detecting activity on January 5th.

T-Mobile is one of the largest US mobile operators. estimated have over 100 million customers. But over the past 10 years, the company has developed a reputation for being plagued by repeated data breaches along with other security incidents. The company had a major hack in 2021, two violations in 2020 one in 2019and the other in 2018. Most large companies struggle with digital security, and no one is immune from data breaches, but T-Mobile seems to be approaching companies like Yahoo in a pantheon of recurring compromises.

“I’m certainly disappointed to learn that after so many break-ins they were never able to reinforce their leaky ship,” says Chester Wisniewski, field technical director for applied research at security firm Sophos. . “It is also worrying that the perpetrators were in the T-Mobile office. [system] more than a month before discovery. This suggests that T-Mobile’s defenses do not use the sophisticated security and threat monitoring teams that one would expect from a large enterprise such as a mobile carrier.”

Due to restrictions on the API (an interface that facilitates interaction between two programs), the attacker did not gain access to social security numbers or tax IDs, driver’s license data, passwords and PINs, or financial information such as payment card data. However, such data has been compromised in other recent T-Mobile breaches, including one in August 2021. In July 2022, T-Mobile agreed to settle a class-action lawsuit over this infringement in a deal that paid out $350 million to customers. At that time, the company also committed to a two-year, $150 million initiative to improve its digital security and data protection.

T-Mobile, which did not respond to multiple requests for comment from WIRED, wrote in its SEC disclosure that in 2021, “We have begun a significant multi-year investment, working with leading external cybersecurity experts, to expand our cybersecurity capabilities and change our approach to cyber security. We have made significant progress to date and protecting our customer data remains a top priority.”

This was clearly not enough, given the recent incident, which resulted in the disclosure of data on about a third of the company’s customers in the United States.

“How many of them should T-Mobile have?” asked Jake Williams, a longtime incident responder and analyst at the Applied Network Security Institute. “API security is just starting to get people’s attention, which was a mistake. Identifying API abuse is not easy, especially if the threat actor is moving low and slowly. I suspect that many of them simply go unnoticed. But the bottom line is that the security of the T-Mobile API clearly needs to be improved. You shouldn’t have massive API abuse for more than six weeks.”