Decades of data breaches, from Target to Equifax and now T-Mobile, have forced consumers to continue to learn about new data breach attack vectors the hard way—by having their personal information exposed. In this latest incident, T-Mobile disclosed that hackers exploited a flaw in an application programming interface (API), a software interface commonly used by applications or computers to exchange information after appropriate authentication. In this case, T-Mobile hasn’t specified how the API was compromised, just that the threat actor stole the personal information of 37 million current customer accounts from November 25, 2022, to January 5, 2023, through one of its APIs.
While this is startling and disheartening for consumers, the T-Mobile incident is cautionary for enterprises too. It spotlights the larger challenge for CISOs, CEOs, and boards—revectoring their cyber strategy to address the transition from attacks on network resources to attacking applications and APIs.
T-Mobile represents another example of the trend we highlighted in a recent blog post: how API security is increasingly hitting the headlines due to major data breaches. T-Mobile’s breach tops the leak that occurred at Optus, an Australian telecommunications provider, which exposed more than 10 million account records. Exploitation of a Twitter API vulnerability exposed the email and account information for 235 millions users, putting the affected users at risk of increased social engineering, phishing, and spam campaign attacks.
These data breaches won’t be the last that we hear of API attacks on applications either. API attacks are forecasted to be the top threat vector that enterprises face. Consumers crave the connected experiences, personalization, and robust functionality that APIs allow companies to provide. Naturally as businesses, B2B as well as B2C, move more of their operations to the cloud, explore how to share and use data, and put API-enabled capabilities at the core of their business models, the greater the importance of API security to protect against this quickly escalating threat vector.
In light of the T-Mobile incident, it’s sobering to be reminded that this happened in a mature industry—one that has long considered the implications of network security and one that has implemented API-related regulations and standards (telecommunications’ TM Forum Open APIs). And T-Mobile’s security operations center is surely full of smart, experienced network security experts.
While we’re not privy to the particulars, it seems that T-Mobile, like most big companies, digitally transformed to 5G with a classic network-centric cybersecurity strategy assuming authentication controls would protect application layers. However, this is the crux of the challenge many companies are experiencing—network security and application/API security aren’t one and the same. Too often, companies have limited application security experts, and these folks are likely to be buried in application development teams in a different part of the company.
Another concerning trend is that attackers are exploiting the application layer as fully authenticated users, reconnoitering APIs made available via free trials, low-cost plans, etc... And given the explosion of APIs in most large organizations, these authenticated attackers have a target rich environment!
It’s natural to wonder how API attacks continue to go unnoticed for months as in the T-Mobile breach. Massive amounts of data traverse APIs daily: an estimated 60% of internet traffic is attributed to APIs. Just as social engineers will try to tailgate a group of employees into a secure facility, blending in with the many entrants, so too will hackers try to blend in with the omnipresent flow of internal and partner traffic through APIs.
That sheer volume of information is more than logging alone can detect and remediate effectively. Add on the myriad of other potential API vulnerabilities such as misconfiguration by engineers that aren’t as well versed in security, unofficial “rogue” APIs, session hijacking, and even improper documentation, and it’s easy to see that API security must cover a very large potential attack surface.
Securing against API attacks means that businesses need to be able to allow valid traffic to flow through uninterrupted, while effectively detecting and screening out malicious traffic, active attacks, and threats.
The damage from this latest API attack hasn’t been limited to the exfiltration of personal data. T-Mobile’s previous breaches are being detailed in the press, inflicting reputational harm too (this is number eight since 2018). Attackers will keep trying to exploit these vulnerabilities at an even faster rate, since they were able to hit pay dirt in an industry where security controls are otherwise mature. With the breach damage continually mounting, it’s critical for enterprises to pivot their cyber strategies to address the risk of API attacks now.
What’s needed? Organizations need to prioritize this latest popular attack vector. An effective strategy will start with having a solution that can detect and alert on API attacks and threats in real -time to support teams as they skill up in this critical security domain. Continuous API security, scanning all API traffic at runtime for active attacks and threats, enables teams to respond in hours not months. And it should be engineered for deep inspection at scale to ferret out the malicious traffic from the high volume of API traffic via an organization’s networks, API gateways, or via applications—or any combination thereof— analyzing individual and aggregate API traffic. With the proper API security solution, you can reduce your risk exposure, and the risk that consumers will be exposed to news of yet another new attack.