Learn from the T-Mobile API Breach to Improve Your API Security Program in 2023

A CISO’s job has never been more challenging. Engineering teams move fast, especially as organizations are accelerating their digital transformation efforts. The tech stack is exploding and varies greatly across the organization. And there is a surge of internal, external, and partner APIs.

It’s T-Mobile in the headlines today, but frankly it could be any other Fortune 1000 here. The job of protecting APIs requires a different tool- and skill-set, and organizations need to adapt as they leverage more and more APIs to support their innovation, competitive and customer-focused efforts.

What we know about the breach

Here’s what we know so far about today’s T-Mobile hack, based on an 8-K filing with the SEC and official press release:

• Bad actor obtained data through a single API
• It’s possible the abused API didn’t have authorization, or the attacker managed to by-pass it or exploited a BOLA vulnerability (the SEC filing says a bad actor was obtaining data through a single API … without authorization).
• API Abuse impacted approximately 37 million customer accounts.
• T-Mobile and their external cybersecurity experts were able to stop the malicious activity within a day of learning of it.
• The impacted API provided “limited” access to customer data, including name, billing address, email, phone number, date of birth, and account number & some other details.

How to improve your API Security Strategy in 2023-2024

1. Discover and inventory all your APIs. Maintain a centralized inventory of all your APIs, both managed & unmanaged, and both public-facing & design for internal use. You can and should automate this process.
2. Assess and score your API risk. Which APIs handle sensitive data? Which of them don’t have authentication/authorization? Which of them handles sensitive data AND doesn’t have authentication/authorization? Why? Automatically alert your team if the risk score is above your threshold.
3. Prevent API Abuse. Is it normal behavior if a single user / IP / credential fetches data with millions of requests within a certain period of time? Probably not, so block the user/session proactively, block the IP if required, and alert the team. You can do this automatically.
4. Have adequate security controls. There is a chance that the API didn’t have authorization. Or maybe it has been an Injection (OWASP API8:2019) or BOLA (OWASP API1:2019) vulnerability which led to the breach. Modern API security products can remediate these issues. Old tools like cloud WAFs and API gateways can’t.
5. Proactively remediate issues quickly. T-Mobile were able to end the malicious activity within a day of discovery, which might be considered pretty fast if it weren’t for the 40+ day dwell time. When talking about APIs, anything that is not real-time and immediate is not fast enough. The attacker was able to execute millions of requests and retrieve millions of records quickly – we need to be able to do the same.

As Ivan Novikov, CEO and co-founder of Wallarm, noted: "The T-Mobile API breach serves as a reminder of the critical importance of API security in today's digital landscape. As a leading API security company, Wallarm is uniquely equipped to mitigate the risk of similar breaches for organizations of all sizes. We understand the challenges that CISOs and security executives face and are committed to providing the tools and expertise needed to protect against API abuse. By learning from this incident, we can all take steps to improve our API security programs in 2023 and stay ahead of the curve in the ongoing battle against cyber threats."