Image Blog T-Mobile Data Breach Mitigating Risks
September 20, 2018

How Did the T-Mobile Data Breach Happen?


T-Mobile is no stranger to data breaches. In this blog, we share what happened when a T-Mobile API exposed customer data in data breach in August 2018.

How a T-Mobile API Exposed Data

In late August, T-Mobile announced a data breach. Data for more than 2 million T-Mobile customers was accessed in a coordinated exploitation of an improperly secured API. T-Mobile stated that no banking or social security numbers were exposed. But the following types of personally identifiable information (PII) were breached:

  • Name.
  • Billing zip code.
  • Phone number.
  • Email address.
  • Account number.
  • Account type (prepaid or postpaid).
  • Date of birth.

In 2017, T-Mobile had a similar issue with their "wsg" API. In this case, very little technical skill was needed to query the API for customer data. One simply needed to change the phone number parameter of the API to look up the details of any customer.

Prevention Lessons From the T-Mobile Data Breach

There are lessons to be learned from the T-Mobile data breaches. Here's what you could do to protect your APIs and data.

Mitigate CWE Vulnerabilities

The Common Weakness Enumeration (CWE) Top 25 Vulnerabilities list documents the most common and highest risk errors found in connected systems. They even suggest effective mitigations including:

M1Establish and maintain control over all of your inputs.
M2Establish and maintain control over all of your outputs.
M3Lock down your environment.
M4Assume that external components can be subverted, and your code can be read by anyone.
M5Use industry-accepted security features instead of inventing your own.

Use libraries and frameworks that make it easier to avoid introducing weaknesses.

Integrate security into the entire software development lifecycle.

Use a broad mix of methods to comprehensively find and prevent weaknesses.

Allow locked-down clients to interact with your software.


The CWE Top 25 list is also organized into three categories of vulnerabilities:

  • Insecure Interaction Between Components
  • Risky Resource Management
  • Porous Defenses

Clearly the T-Mobile APIs that were breached had issues with Porous Defenses and Insecure Interaction Between Components.

Secure the Microservices Mesh

Our recent white paper, Securing the Edge API and the Microservices Mesh, suggests additional ways to leverage a mature API gateway platform to:

  • Implement ways to deny anonymous API requests.
  • Require Mutual TLS protocol layer trust domains.
  • Authenticate and authorize all API requests especially from public cloud networks.
  • Mediate and filter request parameters for potentially malicious content such as the number one CWE vulnerability that results in a data breach: SQL injection.

📕 get the white paper


Use an API Gateway

These T-Mobile data breaches resulted from vulnerabilities that were implemented in production. This indicative of a lack of a mature API gateway. You need to enforce policy rules for identity authentication and authorization at the edge of the network — and in front of the physical API servers and the application and data tier.

This is one of the areas where the Akana API Gateway shines. Leading enterprise customers around the globe rely on Akana's industry-leading API security to protect their most sensitive applications.

This includes:

See for yourself how Akana can help you ensure security and prevent a data breach, like the one T-Mobile suffered.



👉 Become an Expert

Explore additional resources: