The Telecom Industry: Why APIs Are Becoming their Worst Nightmare

In the last six months, the Telecom industry has been hit by some massive, high-profile data breaches — all of which happened by exploiting unprotected APIs.

Gartner predicted that by 2022 APIs would be the largest attack vector, and this has proven to be true. APIs have emerged as the largest, number one attack vector. And in the last 6 months, we’ve seen major API related security incidents in the telecom industry.

Most API related breaches occur for a simple reason: the organization was unaware of their unsecured APIs. Since you can’t secure what you can’t see – they left a door wide open to attackers.

It seems fairly obvious that if a company is not looking for their unsecured APIs, they’re not going to find them. And threat actors are proving time and again that, while companies may not be looking, attackers are. Obviously there’s no way to win a race you haven’t started, and so attackers will get to the unsecured APIs first.  

The telecom industry is no exception – indeed, the very nature of their business makes them highly vulnerable. Users interface with their products in order to interface with various applications that help them to maintain and enjoy their lives and their work.  And the telecom industry is struggling to stay ahead of attackers.

Legacy infrastructure doesn’t always merge well with modern solutions, and since in many places telecom is considered a part of the critical infrastructure, attacks and breaches on this industry can have disastrous implications. Huge amounts of highly sensitive data is shared, and if any of that is not protected, there can be a breach, an attack, and those attacks can have massive, lasting ripple effects.

The most recent, impactful data breaches in the telecom industry were API-related attacks

(T-Mobile, Optus) – and should serve as not only a warning, but should also signal an industry specific security trend. So, if you’re in security in the telecom industry: here’s your sign.  Discover and protect your APIs, before attackers discover them and leave you scrambling in the fallout.

Last September, Optus, the second-largest wireless carrier in Australia, suffered a data breach with an attempted $1 Million dollar extortion threat after they suffered an attack on an API endpoint.  If you’re not familiar with the event, Australian broadcaster  ABC quoted a “senior figure” inside Optus who said that an API for an Optus customer identity database was opened to a test network that “happened to have internet access.” Without the visibility afforded by an API discovery solution, Optus had no way of knowing they had an unsecured API that could be abused.  Unfortunately, while Optus was not looking for their unknown APIs, threat actors were, and found them.  

The response to these attacks seems to be an increase in IAM – which is a start, but that’s all it is.  The Australian Federal Government is also rewriting its cyber laws in response, but it is critical that they incorporate API cataloging requirements at a minimum.  According to Andy Penn, chair of an expert advisory cybersecurity body, “ since COVID we’ve seen a dramatic increase of digital adoption, and unfortunately we’ve also seen a dramatic increase in the rate of cyber crime.” 

This is certainly true, and with the rise of digital adoption we’ve witnessed a boom in API usage.  As the largest attack vector, and as the root problem to blame for the Optus attack, your API threat landscape needs to be cataloged and secured as the ONLY real solution.

On Thursday, January 19th, T-Mobile disclosed their latest data breach that has impacted approximately 37 million of their customers. As stated on their website

“We are currently in the process of informing impacted customers that after a thorough investigation we have determined that a bad actor used a single Application Programming Interface (or API) to obtain limited types of information on their accounts.”  According to their 8-K SEC filing, they stated that the bad actor first retrieved data through the API in question, around November 25, 2022. 

In T-Mobile’s case, the threat actor accessed the API for roughly 6 weeks. That is a LOT of time, and to think that it was all made possible because T-Mobile didn’t have their APIs cataloged, much less protected. 

Traceable’s CSO, Richard Bird, did an analysis on the T-Mobile data breach. You can read that here.

This unauthorized API access exposed data including names, emails, phone numbers and birthdates as the source of the breach. T-Mobile stated that the bad actor did not obtain all data from every one of the 37 million customers affected. It was specifically prepaid and subscription customers who were impacted; hackers apparently also obtained data including the number of lines on the account and service plan features.

T-Mobile’s claim that no social security numbers, credit card information, government IDs, passwords, PINs, or financial information was exposed – but it doesn’t matter, in terms of ripple effects and the security of your data.  The data stolen may not be the typical sensitive data, such as PII, PHI, or account information, but this stolen data still poses a huge threat to consumers.  Phone numbers and email addresses, especially those that are known to be recent, can lead hackers TO more sensitive information. 

With access to email addresses and phone numbers, consumers are at risk of identity theft, social engineering and phishing.  

And that’s exactly what happened.  

In February,  a Google Fi hack victim’s Coinbase and MFA app were hijacked.  It’s exactly how it sounds, a victim had his Coinbase account hacked, his MFA hijacked, and his outlook email compromised.  And guess what? The most likely cause of this was the T-Mobile breach. Google Fi informed him and all customers, in a subsequent email, that hackers had stolen their information in connection with the T-Mobile breach.

Last week another domino fell in the telecom industry – with AT&T reporting a breach through a 3rd party marketing vendor affecting roughly 9 million accounts. In this case, they are not disclosing the cause of the breach, but this is still noteworthy because it is the third telecom breach in 6 months – and since access to your private information through 3rd party APIs is a major concern, and a likely culprit, it bears mentioning as further warning to the telecom industry to beef up their security measures both within company operations, and with your 3rd party vendors. 

According to Gartner, 94% of organizations use or are planning to use public APIs provided by third-parties; up from 52% in 2019.  If these 3rd party APIs are not secured, this provides another avenue for attackers to access data. 

These are not hypothetical examples. These are real-world, recent, large-scale examples of exactly what we’ve been warning.  It is especially dire for industries like telecom – dealing in large amounts of highly sensitive data – expansive, consumer data.

Your APIs are your largest attack surface. Discover them before someone else does, and secure them. Regulations may begin to require cataloging of APIs in the telecom industry, as they have in Financial industries, but the most important step is the one you take after you discover and catalog your APIs: protecting them.  The important decision of securing your APIs lies with your security team, and their priorities.



About Traceable 

Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire development lifecycle. Visual depictions provide insight into user and API behaviors to understand anomalies and block API attacks, enabling organizations to be more secure and resilient. Learn more at traceable.ai.