Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday January 23, @01:41PM   Printer-friendly
from the see-what-breach-is-next dept.

New T-Mobile Breach Affects 37 Million Accounts:

T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts.

In a filing today with the U.S. Securities and Exchange Commission, T-Mobile said a "bad actor" abused an application programming interface (API) to hoover up data on roughly 37 million current postpaid and prepaid customer accounts. The data stolen included customer name, billing address, email, phone number, date of birth, T-Mobile account number, as well as information on the number of customer lines and plan features.

APIs are essentially instructions that allow applications to access data and interact with web databases. But left improperly secured, these APIs can be leveraged by malicious actors to mass-harvest information stored in those databases. In October, mobile provider Optus disclosed that hackers abused a poorly secured API to steal data on 10 million customers in Australia.

T-Mobile said it first learned of the incident on Jan. 5, 2023, and that an investigation determined the bad actor started abusing the API beginning around Nov. 25, 2022. The company says it is in the process of notifying affected customers, and that no customer payment card data, passwords, Social Security numbers, driver's license or other government ID numbers were exposed.

In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver's license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.

Last year, T-Mobile agreed to pay $500 million to settle all class action lawsuits stemming from the 2021 breach. The company pledged to spend $150 million of that money toward beefing up its own cybersecurity.

In its filing with the SEC, T-Mobile suggested it was going to take years to fully realize the benefits of those cybersecurity improvements, even as it claimed that protecting customer data remains a top priority.


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by DannyB on Monday January 23, @03:31PM (4 children)

    by DannyB (5839) Subscriber Badge on Monday January 23, @03:31PM (#1288185) Journal

    even as it claimed that protecting customer data remains a top priority.

    Yep, top priority!

    Somewhere a little below executive compensation, bonuses and golden parachutes.

    --
    Scissors come in consumer packaging that cannot be opened without scissors.
    • (Score: -1, Flamebait) by Anonymous Coward on Monday January 23, @03:38PM

      by Anonymous Coward on Monday January 23, @03:38PM (#1288188)

      The only thing worse than an Indian is Abdul.

    • (Score: 5, Funny) by Freeman on Monday January 23, @04:49PM (2 children)

      by Freeman (732) on Monday January 23, @04:49PM (#1288201) Journal

      Reminds of the security meme for IOT, where the S in IOT stands for security.

      --
      Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
      • (Score: 4, Touché) by DannyB on Monday January 23, @10:27PM (1 child)

        by DannyB (5839) Subscriber Badge on Monday January 23, @10:27PM (#1288254) Journal

        The SH is for Security Hardened in SHIoT.

        --
        Scissors come in consumer packaging that cannot be opened without scissors.
        • (Score: 0) by Anonymous Coward on Tuesday January 24, @05:23PM

          by Anonymous Coward on Tuesday January 24, @05:23PM (#1288386)

          > The SH is for Security Hardened in SHIoT.

          That must be the tail end of the IoTtS...
                      Internet of Things that Suck

          We've come along way since the original ITS -- Incompatible Timesharing System. Sources, short feature list and build instructions here, https://github.com/PDP-10/its [github.com] The security hasn't gotten any better (iirc, ITS has none, by design).

  • (Score: 2, Informative) by Runaway1956 on Monday January 23, @03:45PM (2 children)

    by Runaway1956 (2926) Subscriber Badge on Monday January 23, @03:45PM (#1288191) Homepage Journal

    We need more efficient breaches! /sarcasm

    --
    Don’t confuse the news with the truth.
    • (Score: 2) by DannyB on Monday January 23, @04:08PM

      by DannyB (5839) Subscriber Badge on Monday January 23, @04:08PM (#1288196) Journal

      I find it more efficient to use <no-sarcasm> tags as necessary.

      --
      Scissors come in consumer packaging that cannot be opened without scissors.
    • (Score: 0) by Anonymous Coward on Monday January 23, @06:50PM

      by Anonymous Coward on Monday January 23, @06:50PM (#1288229)

      Only 10% is publicized. The real number is 100%.. but don't tell anybody

  • (Score: 3, Insightful) by corey on Monday January 23, @11:22PM

    by corey (2202) on Monday January 23, @11:22PM (#1288265)

    America, your turn. We (Aussies) had exactly the same thing a few months ago - one of the big three telcos had an openly web available API that was exploited. Of course they blamed the “hacker”, but it was obvious to anyone in the industry or with knowledge in anything IT that this was a huge security blunder. They even got our version of GCHQ / NSA to help. Because they apparently lost something like a third of the country’s populations details. Including real personal stuff like drivers license numbers which are used for ID verification. Hence that bulk of people then were exposed to identity theft. The (among many) stupid thing is that they should not have only retained the data on a lot of the affected people because they were former customers from years back. But the government has laws forcing them to hold the data for years.

    It was a massive, frustrating, joke. I feel for all the T-mobile folk.

    Oh and shortly after, Medibank who are a private health insurer were hacked (I don’t know the details of that) and people’s medical information and records were taken. Insane.

(1)