T-Mobile has disclosed a new, enormous breach that occurred in November, which was the result of the compromise of a single application programming interface (API). The result? The exposure of the personal data of more than 37 million prepaid and postpaid customer accounts.

For those keeping track, this latest disclosure marks the second sprawling T-Mobile data breach in two years and more than a half-dozen in the past five years.

And they've been expensive.

Last November, T-Mobile was fined $2.5 million for a 2015 data breach by the Massachusetts attorney general. Another 2021 data leak cost the carrier $500 million; $350 million in payouts to affected customers, and another $150 million pledged toward upgrading security through 2023.

Now the telecom giant is mired in yet another cybersecurity incident.

T-Mobile's Cybersecurity Snafu

The threat actor who claimed to be behind the 2021 breach of 54 million T-Mobile customers, past, present and prospective, John Binns, bragged in an interview with the Wall Street Journal that T-Mobile's "awful" security made his job easy.

But an infrastructure like T-Mobile's means it's tough to cover the entire attack surface, making their systems particularly complicated to shore up, Justin Fier, senior vice president for red-team operations with Darktrace, tells Dark Reading.

"Like most big brands, T-Mobile has a very complex and sprawling digital estate," Fier explains. "It is becoming harder by the day to gain visibility into every aspect of that estate and make sense of the data, which is why we’re increasingly seeing firms lean on technology to perform that role."

However, he adds that breaching a vulnerable API doesn't require much know-how on the part of an attacker.

Besides weak API security, Mike Hamilton CISO of Critical Insight, tells Dark Reading that this latest compromise also demonstrates a lack of network visibility and ability to detect abnormal behavior.

"Details are scant, and there has been no attribution of the 'bad actor,' who apparently had access to data for about 10 days before being stopped," Hamilton says.

T-Mobile's Next Regulator Bout

In the disclosure of the cybersecurity incident, T-Mobile downplayed the stolen account information, adding the data was "basic," and "widely available in marketing databases." While it might read like a glib dismissal of the impact on its customers, the distinction could protect the company from state regulators, Hamilton adds.

"The data may be monetized by selling in bulk, although it's of little actual value," Hamilton says. "Most of the data in the theft can be found in public sources and is unlikely to cause legal action from state privacy statutes like the CCPA (California Consumer Privacy Act)."

However, T-Mo might have more trouble in Europe with GDPR and Information Commissioner's Office (ICO) regulators in the UK, Thomas Cope, CSO of Next DLP, explains to Dark Reading. Penalties like these ultimately will drive investment in the necessary cybersecurity protections, he adds.

"The regulatory oversight of the ICO and GDPR should hopefully bring a large series of fines along with these privacy breaches," Cope says, "which should in turn feed more investment into security teams to help build better controls to guard APIs against the current and future attacks."