How Bad Was the New T-Mobile API Data Breach?

T-Mobile US revealed that data from “approximately 37 million current postpaid and prepaid customer accounts” was compromised in a disclosure to the Securities and Exchange Commission on Thursday. The breach was blamed on a hacker abusing an API.

On January 5, 2023, T-Mobile US… identified that a bad actor was obtaining data through a single Application Programming Interface (“API”) without authorization. We promptly commenced an investigation with external cybersecurity experts and within a day of learning of the malicious activity, we were able to trace the source of the malicious activity and stop it.

Compromised data included:

  • names;
  • billing addresses;
  • email addresses;
  • phone numbers;
  • dates of birth; and
  • T-Mobile account numbers.

However, the operator insisted that the API did not yield more damaging information.

Our systems and policies prevented the most sensitive types of customer information from being accessed… customer accounts and finances were not put at risk directly by this event. The API abused by the bad actor does not provide access to any customer payment card information (PCI), social security numbers/tax IDs, driver’s license or other government ID numbers, passwords/PINs or other financial account information, so none of this information was exposed.

T-Mobile US will be mindful of the anger felt by Australians after Optus breached data relating to 9.8 million current and former customers via a leaky API. One big difference is that many Optus customers needed to replace their driving licenses, causing a political furore over the cost, which Optus eventually agreed to cover. The news release issued by T-Mobile emphasized that the kind of information which was compromised can also be found elsewhere.

Some basic customer information (nearly all of which is the type widely available in marketing databases or directories) was obtained…

I have some sympathy for T-Mobile’s line of reasoning, though it is not very comforting. The operator did not spell it out explicitly, but any simple visualization of the enormity of past data breaches leads to the conclusion that the vast majority of data breached during this compromise must have been breached before. There eventually comes a point in time when all the ‘private’ data has already fallen into the hands of organized criminals, meaning no more harm can be caused by them seeing duplicates of what they already knew.

One problem for T-Mobile is that they also suffered a privacy breach which affected over 76 million people in 2021. Last year the telco offered USD350mn to settle law suits resulting from the 2021 breach. Two breaches in three years makes them sound sloppy, though it might also mean they are more honestly reporting breaches than some other businesses. Their repeated failure was highlighted in an article from Reuters that also sourced a quote from one of those people who sound like they understand what they are talking about, but who probably know nothing about what they are talking about.

“While these cybersecurity breaches may not be systemic in nature, their frequency of occurrence at T-Mobile is an alarming outlier relative to telecom peers,” said Neil Mack, senior analyst for Moody’s Investors Service.

“It could negatively impact customer behavior, cause churn to spike and potentially attract the scrutiny of the FCC and other regulators.”

Mack’s opinion is empty talk, no matter how much people would like it to be true. Enforcement of data protection obligations is so weak that the penalties and remediation demanded by regulators is usually trivial compared to other costs following a breach, such as Optus paying the AUD29 (USD20) fee for each driving license that needed replacing after their breach, or T-Mobile’s offer of USD350mn to settle the suits resulting from the 2021 breach. But even those costs would be small change if 37 million customers churned to another telco.

T-Mobile had almost 114 million customers at the beginning of the year, meaning that approximately one-third of their customer base was affected by this breach. However, the company’s share price only fell by 3 percent following the news of the breach, then bounced back the following day, giving an indication of how much investors are worried about customer churn. One survey following the Optus breach said 10 percent of their customers would churn, but that is not backed by data which would confirm a large influx of new customers for rival telcos. It is far more likely that customers will say they are annoyed by breaches and worried about their personal data but then take no further action. If customers did churn in larger numbers after a privacy breach then businesses would already be doing far more to secure personal data.

T-Mobile US did not follow the encouraging trend of some other telcos by giving a specific executive the responsibility of assuring worried customers. It would be good if more telcos showed their management team really cares about privacy by expressing sincere regret instead of hiding behind anonymous press releases and official disclosures. But whilst the press and the public have finally woken up to the fact that the compromise of personal data is harmful, few noticed the most serious risk to communications security evidenced by this breach. 5G security expert Silke Holtmanns explained in a LinkedIn post:

API security was broken….5G and ORAN are ALL about APIs. It’s not unexpected, the networks are extremely complex, one little configuration mistake can have severe consequences, also OAuth and TLS are seen as silver bullet and answer to everything, which they are not. One needs to filter and monitor what goes INTO the API.

A quarter of a century ago, at the height of the dotcom boom, there were countless businesses indiscriminately grabbing data whilst implementing only trivial security to protect it all. Technologists effectively trained the rest of society to be indifferent to data breaches by making them inevitable. Users were encouraged to believe that their privacy would only be threatened if they made a poor choice of password. That seems incredibly naive now, but it was also incredibly naive then. Now technologists are racing to abstract data from physical systems more than ever before. This leads to greater and greater reliance on APIs, so that systems can ‘talk’ to each other and effectively communicate the information they need to work properly.

As Holtmanns points out, the use of APIs is central to 5G. But within just four months there have been two massive data breaches that resulted from the exploitation of telco APIs. One compromised data relating to 40 percent of Australians, the other compromised data for 11 percent of Americans. Improvements have been made in data security in the last 25 years, but not enough improvement, as demonstrated by these breaches. Technology trends suggest that each new hack will yield larger and larger volumes of personal data. APIs are central to the networks of the future but they are also an extremely attractive target for criminals and other bad actors. That is the bad news we need to take away from this breach.

Silke Holtmanns will be one of the expert guests appearing on The Communications Risk Show, a new interview series that will be livestreamed to the web every Wednesday from March 15. Stay tuned for more details.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.