T-Mobile’s reputation on cybersecurity matters is being put to the test, on repeat and at a scale and cadence with few obvious comparisons in telecom or enterprise at large.
The company committed to improving its security posture and increasing investments in data privacy and related technologies after a massive data breach in August 2021, but it was not enough to foil an intrusion that occurred the day after last Thanksgiving.
T-Mobile on Thursday said it detected a threat actor using an application programming interface to access customer account data on Jan. 5, and “shut it down within 24 hours,” but not before the records of 37 million customers were compromised.
The malicious activity, a compromise that occurred on Black Friday, one of the days during the holiday season experts warn security teams to be on high alert, went undetected for 41 days.
The repeated security lapses at T-Mobile show a pattern, according to analysts. The carrier has been hit by two huge breaches in 15 months, but the addition of at least six other security incidents during the last five years indicates a misalignment between security investments and outcomes.
“To be hacked twice in the span of a bit over a year is pretty egregious,” Mauricio Sanchez, research director of network security at Dell’Oro Group, said via email. “One would think that after the string of hacks and the significant penalty it would have led T-Mobile to up their game, but it’s pretty evident it didn’t.”
T-Mobile declined a request for further comment.
Breaches beget breaches
The latest incident marks T-Mobile’s eighth publicly acknowledged data breach since 2018. “That’s all you need to know about their lack of urgency around this,” said Zeus Kerravala, founder and principal analyst at ZK Research.
“Clearly they are behind the other carriers and this becomes a cyclical problem,” Kerravala said. “Since they appear to be easier to breach, hackers will focus on them, causing more breaches.”
The gap between the threat actor’s initial intrusion and T-Mobile’s detection can be attributed to multiple unresolved challenges for the mobile network operator, according to multiple analysts.
“It does point to some severe failings, in particular after the many promises to do better after the last sequence of attacks,” Sanchez said.
T-Mobile’s lack of visibility into malicious activity is “the biggest issue,” Kerravala said.
“Breaches happen, everyone knows that,” he said.” But a company like T-Mobile, whose entire business is wrapped up in its networks, should be able to see anomalous traffic that could indicate a breach in almost real time.”
Intrusion underscores common API security challenges
T-Mobile hasn’t shared details about the API exploited by the threat actor, but it’s important to know what purpose it served, where it was exposed, and why it had access to customers’ PII.
“No API is perfect and problems relating to API credential management are extremely common these days,” Justin Fier, SVP of red team operations at Darktrace, said via email.
“While it is unclear what the API in the T-Mobile attack was used for it would be alarming for an external API to have access to this amount of sensitive PII,” Fier said.
The attack scenarios most commonly associated with API data breaches, according to the Open Web Application Security Project, include:
- Broken access control
- Insecure design
- Security misconfiguration
- Identity and authentication failures
- Logging and monitoring failures
Mismatched priorities endanger enterprises
The predominant challenge confronting organizations isn’t so much an inability to take security seriously.
“The problem is security is not the primary focus for these companies, but it is the primary focus for the attackers,” said Chris Nicoll, senior principal analyst at Nicoll Associates.
“[Threat actors] spend their full time designing and adapting their attacks. That is not to say that companies, such at T-Mobile, should be off the hook when an attack does occur,” he said.
Malicious actors are “masterful at hiding their activities,” and it’s incumbent on T-Mobile to be more diligent at monitoring and managing its systems, Nicoll said.
Short of a financial penalty and potential regulatory actions, the setbacks to T-Mobile, following this latest incident, will be minimal, analysts tell Cybersecurity Dive.
Fatigue and abstract concepts typically applied to security breaches might also diminish the fallout for T-Mobile.
But T-Mobile customers should be wary, Kerravala said. “In a world that is becoming rapidly digitized, the mobile phone is now the control point of our lives. If you can’t trust your mobile operator, that’s a huge problem.”