Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday January 23, @01:41PM   Printer-friendly
from the see-what-breach-is-next dept.

New T-Mobile Breach Affects 37 Million Accounts:

T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts.

In a filing today with the U.S. Securities and Exchange Commission, T-Mobile said a "bad actor" abused an application programming interface (API) to hoover up data on roughly 37 million current postpaid and prepaid customer accounts. The data stolen included customer name, billing address, email, phone number, date of birth, T-Mobile account number, as well as information on the number of customer lines and plan features.

APIs are essentially instructions that allow applications to access data and interact with web databases. But left improperly secured, these APIs can be leveraged by malicious actors to mass-harvest information stored in those databases. In October, mobile provider Optus disclosed that hackers abused a poorly secured API to steal data on 10 million customers in Australia.

T-Mobile said it first learned of the incident on Jan. 5, 2023, and that an investigation determined the bad actor started abusing the API beginning around Nov. 25, 2022. The company says it is in the process of notifying affected customers, and that no customer payment card data, passwords, Social Security numbers, driver's license or other government ID numbers were exposed.

In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver's license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.

Last year, T-Mobile agreed to pay $500 million to settle all class action lawsuits stemming from the 2021 breach. The company pledged to spend $150 million of that money toward beefing up its own cybersecurity.

In its filing with the SEC, T-Mobile suggested it was going to take years to fully realize the benefits of those cybersecurity improvements, even as it claimed that protecting customer data remains a top priority.


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Touché) by DannyB on Monday January 23, @10:27PM (1 child)

    by DannyB (5839) Subscriber Badge on Monday January 23, @10:27PM (#1288254) Journal

    The SH is for Security Hardened in SHIoT.

    --
    Scissors come in consumer packaging that cannot be opened without scissors.
    Starting Score:    1  point
    Moderation   +2  
       Funny=1, Touché=1, Total=2
    Extra 'Touché' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4  
  • (Score: 0) by Anonymous Coward on Tuesday January 24, @05:23PM

    by Anonymous Coward on Tuesday January 24, @05:23PM (#1288386)

    > The SH is for Security Hardened in SHIoT.

    That must be the tail end of the IoTtS...
                Internet of Things that Suck

    We've come along way since the original ITS -- Incompatible Timesharing System. Sources, short feature list and build instructions here, https://github.com/PDP-10/its [github.com] The security hasn't gotten any better (iirc, ITS has none, by design).