T-Mobile data breach shows importance of securing internal tools

A flaw in T-Mobile's website allowing anyone to access customer data highlights the need for internal audits and authentication.

Video: How to use the data breach calculator

A bug found on T-Mobile's website allowed anyone with a customer's phone number to access their name, address, billing account number, security PIN, and even tax identification numbers in some cases, our sister site ZDNet exclusively reported Thursday.

The flaw, which has since been patched, was found in a T-Mobile subdomain that employees use as a customer care portal to access internal tools. However, anyone could search for the subdomain--promotool.t-mobile.com--and a hidden API would display customer data if that person's cell phone number was added to the end of the web address, ZDNet reported.

Though intended for employee use, the subdomain was not protected by a password, allowing anyone to access this information and by extension, customer accounts and data.

The issue highlights the importance of securing internal tools at any business. For one, the subdomain should not have been on a public IP address, but behind a firewall for more protection. There also should have been some form of authentication required to access the portal and information.

SEE: Incident response policy (Tech Pro Research)

Business should audit their own internal databases and tools to ensure there are no security issues like this lurking. The consequences of a breach, both financial and reputation-wise, are dire: For enterprises, the cost of a data breach is around $1.23 million, and for SMBs, it's $120,000, according to Kaspersky Lab. With more than 74 million customers, a T-Mobile data breach would have a major impact.

The buggy API was reported to T-Mobile in April by security researcher Ryan Stevenson. The company took the site offline the next day, and awarded Stevenson $1,000 in a bug bounty, ZDNet reported.

"The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure," a T-Mobile spokesperson told ZDNet. "The bug was patched as soon as possible and we have no evidence that any customer information was accessed."

This is not T-Mobile's first security incident of this type: This bug is nearly identical to an exposed API located in another subdomain that was uncovered last year, which also exposed customer data, Motherboard reported. Though T-Mobile had said it found no evidence that this data was stolen by malicious parties, it was later revealed that hackers had been exploiting the bug for weeks.

The promotool.t-mobile.com site has been online since at least October 2017, ZDNet reported.

The big takeaways for tech leaders:
  • A bug found on T-Mobile's website allowed anyone with a customer's phone number to access their name, address, billing account number, security PIN, and tax identification numbers in some cases.
  • The bug demonstrates the need for companies to ensure that their internal portals and tools are secure.

Also see

Image: iStockphoto/Marek SLUSARCZYK