Slash Boxes

SoylentNews is people

posted by janrinok on Monday January 23, @01:41PM   Printer-friendly
from the see-what-breach-is-next dept.

New T-Mobile Breach Affects 37 Million Accounts:

T-Mobile today disclosed a data breach affecting tens of millions of customer accounts, its second major data exposure in as many years. In a filing with federal regulators, T-Mobile said an investigation determined that someone abused its systems to harvest subscriber data tied to approximately 37 million current customer accounts.

In a filing today with the U.S. Securities and Exchange Commission, T-Mobile said a "bad actor" abused an application programming interface (API) to hoover up data on roughly 37 million current postpaid and prepaid customer accounts. The data stolen included customer name, billing address, email, phone number, date of birth, T-Mobile account number, as well as information on the number of customer lines and plan features.

APIs are essentially instructions that allow applications to access data and interact with web databases. But left improperly secured, these APIs can be leveraged by malicious actors to mass-harvest information stored in those databases. In October, mobile provider Optus disclosed that hackers abused a poorly secured API to steal data on 10 million customers in Australia.

T-Mobile said it first learned of the incident on Jan. 5, 2023, and that an investigation determined the bad actor started abusing the API beginning around Nov. 25, 2022. The company says it is in the process of notifying affected customers, and that no customer payment card data, passwords, Social Security numbers, driver's license or other government ID numbers were exposed.

In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver's license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.

Last year, T-Mobile agreed to pay $500 million to settle all class action lawsuits stemming from the 2021 breach. The company pledged to spend $150 million of that money toward beefing up its own cybersecurity.

In its filing with the SEC, T-Mobile suggested it was going to take years to fully realize the benefits of those cybersecurity improvements, even as it claimed that protecting customer data remains a top priority.

Original Submission

This discussion was created by janrinok (52) for logged-in users only. Log in and try again!
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by corey on Monday January 23, @11:22PM

    by corey (2202) on Monday January 23, @11:22PM (#1288265)

    America, your turn. We (Aussies) had exactly the same thing a few months ago - one of the big three telcos had an openly web available API that was exploited. Of course they blamed the “hacker”, but it was obvious to anyone in the industry or with knowledge in anything IT that this was a huge security blunder. They even got our version of GCHQ / NSA to help. Because they apparently lost something like a third of the country’s populations details. Including real personal stuff like drivers license numbers which are used for ID verification. Hence that bulk of people then were exposed to identity theft. The (among many) stupid thing is that they should not have only retained the data on a lot of the affected people because they were former customers from years back. But the government has laws forcing them to hold the data for years.

    It was a massive, frustrating, joke. I feel for all the T-mobile folk.

    Oh and shortly after, Medibank who are a private health insurer were hacked (I don’t know the details of that) and people’s medical information and records were taken. Insane.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3