A security breach involving T-Mobile generated a significant amount of media coverage last week after the wireless phone provider acknowledged the incident with a public statement.
The incident, which involved a person or group accessing non-personal information of about 37 million customers, was compared to previous security breaches in which T-Mobile found itself the victim of several large-scale cyberattacks that resulted in serious, sensitive customer information leaked on the Internet, one that triggered at least two class action lawsuits against the company.
The latest security incident generated headlines coloring the episode as an “attack,” leading many to believe that T-Mobile was on the receiving end of compromise similar in nature to what the phone company has faced over the last several years.
ABC News wrote that T-Mobile was “breached by hackers,” while Red Ventures website CNET — which has faced some scrutiny for using robots to write stories — claimed T-Mobile got “hacked again.” USA Today characterized the incident as a “hack,” too, and CNN’s headline went so far as to state that the 37 million customers themselves were “hacked.”
But the latest security incident involving T-Mobile and its 37 million customers was not a hack in the conventional sense. The “bad actor” that T-Mobile blamed for the incident simply exploited a door that T-Mobile left open for some legitimate purposes, and used it to harvest data of millions of customers (who, themselves, were not hacked, despite CNN’s headline).
In a filing with the Securities and Exchange Commission last week, a T-Mobile executive wrote that the “bad actor” — who may have acted alone, or might be connected to a larger group — used an application programming interface (API) to access some customer data in a way that went beyond what the company intended.
Simply put, APIs allow developers to access certain parts of another website or service when they’re building out their own applications. A good example of this at play can be found at Twitter: For years, the company offered an API that allowed developers like Tapbots and the Iconfactory to develop TweetBot and Twitterific — software that allowed users to send tweets, read messages and perform other functions associated with the Twitter website.
The API allowed TweetBot and Twitterific to interact and connect with various parts of Twitter’s website and servers, until Twitter decided recently to change who could access its API and for what purpose. The changes essentially broke TweetBot and Twitterific, because they were prohibited from accessing the key parts of Twitter through the API that they needed to access in order to make the applications work.
T-Mobile hasn’t explained why non-sensitive customer information like names, home addresses and phone numbers were available through an API, but it could have been for any number of reasons. It could have been connected to social media-based customer service, where users are asked to authenticate themselves as a T-Mobile subscriber when seeking help through Twitter and Facebook. It could have also been part of T-Mobile’s external sales efforts, where some customer information is sold to third parties for purposes of marketing sand advertising.
What is known is that the person or group T-Mobile is calling a “bad actor” first started accessing the company’s API and collecting data around November 25 of last year, and continued accessing the API and collecting data until the company became aware of the practice on January 5. On average, the person or group was able to obtain data from around 902,000 accounts each day for that 41-day period.
T-Mobile says it is working with law enforcement, including the Federal Bureau of Information, which has some jurisdiction over Internet-based compromises of data. If the FBI finds that the individual or group responsible did access information through T-Mobile’s API that it wasn’t authorized to obtain, it could result in criminal charges brought under the Computer Fraud and Abuse Act, the federal anti-hacking statute that is somewhat controversial.
Any charges brought would require proof that T-Mobile sustained some kind of financial loss in excess of $5,000, which it could prove by simply stating that it paid employees about that much to respond to the data breach. Customers, on the other hand, won’t be able to prove much loss, because T-Mobile affirmed that data like passwords, credit card numbers and social security numbers weren’t compromised in this incident.
While it might be splashy to suggest T-Mobile was the victim of an orchestrated and sophisticated cyberattack, the reality of the situation is actually more boring: T-Mobile wasn’t particularly careful in deciding who should get access to an API. A “bad actor” didn’t need to do anything elaborate like guess a username and password or force their way in using the software equivalent of burglary tools — they simply connected to T-Mobile’s API, as anyone could have done, and grabbed the data that was freely available to take.
To T-Mobile’s credit, it never characterized the incident as a “hack,” and never described the individual or group who carried it out as “hackers,” even though journalists quickly jumped to those conclusions. But the reality of what happened — that someone walked through an open door and grabbed whatever was there to take — requires a serious shift in conversation. Why was that information available to take? Why didn’t T-Mobile better scrutinize who could access its API, and offer a limited set of conditional access to that effect? As long as reporters dismiss the breach as a “hack,” those questions probably won’t be answered.