Submit support requests and browse self-service resources.
T-Mobile is no stranger to data breaches. In this blog, we share what happened when a T-Mobile API exposed customer data in data breach in August 2018.
In late August, T-Mobile announced a data breach. Data for more than 2 million T-Mobile customers was accessed in a coordinated exploitation of an improperly secured API. T-Mobile stated that no banking or social security numbers were exposed. But the following types of personally identifiable information (PII) were breached:
In 2017, T-Mobile had a similar issue with their "wsg" API. In this case, very little technical skill was needed to query the API for customer data. One simply needed to change the phone number parameter of the API to look up the details of any customer.
There are lessons to be learned from the T-Mobile data breaches. Here's what you could do to protect your APIs and data.
The Common Weakness Enumeration (CWE) Top 25 Vulnerabilities list documents the most common and highest risk errors found in connected systems. They even suggest effective mitigations including:
The CWE Top 25 list is also organized into three categories of vulnerabilities:
Clearly the T-Mobile APIs that were breached had issues with Porous Defenses and Insecure Interaction Between Components.
Our recent white paper, Securing the Edge API and the Microservices Mesh, suggests additional ways to leverage a mature API gateway platform to:
📕 get the white paper
These T-Mobile data breaches resulted from vulnerabilities that were implemented in production. This indicative of a lack of a mature API gateway. You need to enforce policy rules for identity authentication and authorization at the edge of the network — and in front of the physical API servers and the application and data tier.
This is one of the areas where the Akana API Gateway shines. Leading enterprise customers around the globe rely on Akana's industry-leading API security to protect their most sensitive applications.
See for yourself how Akana can help you ensure security and prevent a data breach, like the one T-Mobile suffered.
START MY TRIAL
Explore additional resources:
API Security & Integration Architecture, Akana
Ryan Bagnulo has implemented API integration and security and privacy solutions for hundreds of global transactional systems over the past 2 decades, with deep technical experience in investment banking high performance grid computing as well as connected electronic medical devices and international regulatory compliance. Ryan was the first chief security officer and the head of Solution Architecture for Joyent, a container focused cloud IaaS startup in 2010, and has worked with a number of Silicon Valley startups on cloud API IoT and Microservices innovations.