News that T-Mobile in the US has allowed the personal details of 37 million of its customers to be hacked is worrying in itself. But the seemingly laid-back attitude in response to the hack from the company is perhaps more concerning, argues business technology journalist Antony Savvas.
The firm revealed last Thursday that it was investigating the data breach, after first identifying malicious activity on 5 January. It noticed a “bad actor” had obtained data through a single API (application programming interface) without authorisation.
It claims, in a notification filed with the US Securities and Exchange Commission, that the breach was “contained within a day” and that “no sensitive data”, such as customer financial information, was compromised.
Disingenuous claim
This is pretty disingenuous, in my humble opinion, and also in the minds of experts on the subject.
The data leakage is actually believed to have begun on or around 25 November, 2022, admits the operator, and included the theft of “basic customer information”, like names, birth dates, billing addresses, email addresses and phone numbers.
“No information was obtained for impacted customers that would compromise the safety of customer accounts or finances,” T-Mobile claims.
Eh… the culprits now have all the data they need to try and conduct potential fraud against customers!
“We have made substantial progress to date and protecting our customers’ data remains a top priority. We will continue to make substantial investments to strengthen our cyber security programme,” T-Mobile adds. Not a bad idea.
Preceding disaster
This data disaster follows the one T-Mobile suffered in August 2021, when 50 million customers were affected, including the theft of their social security numbers. If the thieves involved in the latest attack were able to combine the information in the previous hack, it would potentially be open season on over a quarter of the population of the US.
Chris Deverill, UK director at Orange Cyberdefense, says of the attack, “The importance of API security is growing as application security makes its way up the corporate agenda, in line with the rise of digital transformation, cloud adoption and DevOps approaches. The T-Mobile breach proves why.”
He says: “While new digital platforms and applications are developed to enhance efficiency, better support customers and create business value, they don’t come without risks. In fact, one of the biggest struggles when it comes to new applications is security. There are measures that businesses can put in place to protect APIs, like authentication systems, advanced searches, and firewalls for web applications.”
A shame
CEO of Endor Labs, Varun Badhwar, whose firm focuses on securing open source software and supply chains, adds: “What’s unfortunate, yet sadly common about this latest episode at T-Mobile, is how much we still don’t know.
“The company only learned of it on 5 January, but otherwise the intruder might have begun retrieving the data on 25 November. The real shame is that T-Mobile classified the leaked data as ‘basic customer information’. It feels as if they want us to thank them for not revealing social security numbers, which were already compromised in previous breaches.
“With all this information, attackers can launch a variety of targeted attacks and attempt spoofing, SMS takeover, etc. What I’d love to see is for companies not to marginalise the sensitivity of our personal information.”
Eliminate silos
“These attacks will keep happening until organisations commit to reduce, and ultimately eliminate data silos and copy-based data integration, in order to establish a foundation of control,” says Dan DeMers, CEO of data management firm Cinchy.
“Current practices of fragmenting sensitive customer data within databases, data warehouses, spreadsheets and applications is forcing them to engage in the practice of widespread and unrestricted copying through a process known as ‘data integration’, he says. “The result of this is that it exponentially increases the attack surface for bad actors to exploit.”
“Of course, there are no silver bullets when it comes to data security, but getting our collective houses in order by seeking to eliminate silos and copies is absolutely key to establishing effective data protection.
“In practice, what we’re talking about is a fundamental shift where C-suite executives, data architects and application developers start to decouple data from applications and other silos, to establish ‘zero copy integration’ data ecosystems, to help achieve control,” DeMers says.
Big fines
In T-Mobile’s case, maybe a big fine may help to focus its C-suite’s attention on the matter, particularly as the regulatory and compliance regime globally is not getting any easier for CSPs (communications service providers).
You only have to look at the latest rules set down by the European Commission on Internet of Things (IoT) system protection to see this.
The Commission’s Cyber Resilience Act (CRA) is intended to address data security problems surrounding devices and systems with network connections, from printers and routers to smart household appliances and industrial control systems.
To press manufacturers, distributors and importers into more protective action, they face significant penalties if security vulnerabilities in devices are discovered and not properly reported and closed.
“The pressure on the industry is growing immensely,” says Jan Wendenburg, CEO of cyber security firm ONEKEY. “The financial fines for affected manufacturers and distributors are severe: up to €15 million or 2.5% of global annual revenues in the past fiscal year [the equivalent larger fine applies].”
Suppliers to CSPs must now prepare to complete a Cyber Resilience Readiness Assessment, if they want to avoid putting their head on the chopping block.
The author is Antony Savvas, a global freelance business technology journalist.
Comment on this article below or via Twitter: @VanillaPlus OR @jcvplus
