T-Mobile Breach Highlights Common Corporate Security Weakness

Companies rely on APIs as they expand technology projects, often without proper security measures, cybersecurity analysts and researchers say.

“Every API you add is a new addition to your overall attack surface,” said Theresa Payton, chief executive of Fortalice Solutions LLC, a cybersecurity consulting firm.

T-Mobile disclosed the data breach on Thursday to the Securities and Exchange Commission. The company’s filing said the API that was breached allowed hackers to access some forms of customer data, including names, billing addresses, emails, phone numbers and dates of birth. The company said it may “incur significant expenses” as a result of the incident.

T-Mobile was previously hacked in 2021 in a breach that exposed the data of more than 50 million customers. Last year, the company offered to pay $350 million to settle a class-action suit, and pledged to spend $150 million on security in 2022 and 2023.

Other large companies’ APIs have proven vulnerable recently. Early this month, security researcher Sam Curry showed he could remotely control vehicles, including starting and stopping them, after discovering security flaws in APIs in cars from manufacturers including Mercedes-Benz Group AG, Porsche Automobil Holding SE and Bayerische Motoren Werke AG . Mr. Curry said he notified the companies of the vulnerabilities before disclosing them publicly. The manufacturers didn’t respond to requests for comment.

In December, the U.S. Cybersecurity and Infrastructure Security Agency circulated an advisory warning companies about an API-related vulnerability in a product from tech company provider Veeam Software. The company issued a security patch.

“API security is an area that’s largely been overlooked,” said Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center, a nonprofit group that enables healthcare organizations to share information about cyber threats. The main challenge is getting cybersecurity teams to realize how vulnerable their APIs are, he said.

There is a lack of understanding on how to secure APIs outside of cybersecurity teams, and there may be different business units within companies involved in creating an API, Ms. Payton said. Plus, there has been a rapid expansion of tech projects since the start of the Covid-19 pandemic, which often leads companies to skip some security steps, she added.

By 2025, less than half of companies’ APIs will be managed properly because their growth will eclipse the ability of management tools, Gartner Inc. forecast in 2021.

Common practices to secure APIs include using user authentication and authorization and encrypting their communications. Many companies use these security protections, but there is so much development in APIs that some may be outdated or no longer maintained, said Altaf Shaik, a senior researcher at the Technische Universität Berlin, which specializes in technology research. “It’s hard to protect them all,” he said.

APIs are particularly crucial for 5G products, and some telecom carriers are likely to overlook security because they are rushing to bring those products to market, he said.

Mr. Shaik and another researcher tested the API security of 10 unnamed mobile carriers in August. Only one detected the researchers’ simulated attacks, while others appeared not to watch their APIs for suspicious activity, he said. T-Mobile wasn’t among the carriers the researchers tested, he added.

“Real-time monitoring is something that’s missing,” he said.

Write to Catherine Stupp at catherine.stupp@wsj.com