Top Data Breaches of 2022 and What they Mean for API Security
2022 was quite a year for data breaches. Isn’t that always the story? Each year, the data breaches become worse, resulting in higher costs, brand value erosion, and effectively propel so many security professionals into an existential crisis.
However, there were many variables that made 2022 particularly interesting. While the usual suspects like ransomware, misconfigurations and phishing caused huge amounts of damage, we also saw some of the worst data breaches happen at the API layer – far more than prior years.
Grant it, years ago, there were some pretty bad ones, such as Experian, Venmo, and many others.
One thing is for sure – this year made us realize just how insidious and wide-spread API attacks can be, and how important it is to get a handle on this problem now.
According to Gartner…
- By 2024, API abuse and related data breaches will nearly double.
- By 2022, API abuse will move from an infrequent to the most-frequent attack vector, resulting in data breaches for enterprise web applications.
- 88% of boards regard cybersecurity as a business risk rather than solely a technical IT problem.
- APIs are critical to the success of organizations’ digital transformation programs. In a Gartner survey, 70% of enterprises cited APIs as important to digital transformation and API security as their top challenge.
The Optus API Data Breach
The Australian wireless service provider, Optus, suffered a massive data breach, where the attacker used an unauthenticated API endpoint to gain access to customers’ sensitive data.
This was the first time a major telecommunications company in Australia suffered from such a large and public breach, bringing a huge spotlight to the problem of APIs for the country, and for the world at large.
With more information continuing to be released about the Optus breach, it is becoming clear that companies need to take API security seriously, as the financial costs and damage to reputation, as well as many other consequences, are exponentially greater than funding security programs that operate transparently to keep customers and their data secure and private.
The information accessed included customers’ names, dates of birth, phone numbers, email and home addresses, driver’s license and/or passport numbers and Medicare ID numbers.
Files containing this confidential information were posted on a hacking forum after Optus refused to pay a ransom demanded by the hacker. Victims of the breach also said that they were contacted by the supposed hacker demanding they pay AU$2,000 (US$1,300) or their data would be sold to other malicious parties.
More on the Optus Data Breach from Traceable’s CSO, Richard Bird…
While the initial findings suggest that the exposure of tens of thousands of Australians’ personal and private data was accidental, neither government agencies nor customers are very forgiving about an accident being used as a rationalization for a security stewardship failure when it comes to critical information about those customers and citizens.
Security solutions need to account for, expose and mitigate human error on the technical side of the equation, because it is clear that regulators and the market will offer little to no forgiveness for these types of breach events.
The real problem with the Optus breach is the egregious “piling on” that is going on in both the corporate world and the solution providers’ space. Optus is in the throes of addressing a challenging catastrophic issue, while the media, government agencies and technologists are actively shaming them.
– Richard Bird
Twitter API Vulnerability
Twitter has been in the news probably more than Uber this year, both because of security issues earlier in the year, and again after Elon Musk’s takeover.
The Twitter API vulnerability that resulted in 5.4 million users’ information being leaked, was one of 2022 biggest data breaches.
While the 5.4 million records were available for $30,000 and were shared for free in September this year, revelations by Pompompurin to BleepingComputer indicate the presence of another data dump of 1.4 million records from suspended Twitter users.
The breached data includes public and private information such as names, Twitter handles, locations, account creation dates, follower and favorites count, email addresses and phone numbers.
To add insult to injury, the data was scraped through the exploitation of the same vulnerability that was exploited in 2021. While the theft of 5.4 million user data records was carried out by a threat actor going by the name Devil, the theft of another 1.4 million data records was the work of Pompompurin, the owner of the Breached hacking forum who got the vulnerability tip from Devil.
Twitter was fined $150 million o for lapses in upholding user privacy in May 2022.
What Do These Data Breaches Mean for API Security in 2023?
With so many high profile data breaches hitting the API layer, we have already seen major regulatory bodies and cybersecurity frameworks, like FFIEC and Zero Trust Security, start to incorporate API security into their purview.
API security is no longer a “nice to have”. It’s a requirement. You simply can’t protect your data without it, and it’s great to see compliance and security frameworks start to evolve with the times.
FFIEC Guidelines and API Security
The FFIEC (Federal Financial Institutions Examination Council) is an interagency body of the U.S. government, made up of several financial regulatory agencies. It was originally created on March 10, 1979, and is responsible for creating uniform regulatory standards and reporting systems for all federally supervised financial institutions, as well as their holding companies and subsidiaries. Any institution that is regulated by one of the FFIEC member agencies is effectively subject to FFIEC rules.
On October 3, 2022, the FFIEC announced a significant update to its 2018 Cybersecurity Resource Guide for Financial Institutions. The Guidance highlights risk management practices that support oversight of identification, authentication, and access solutions as part of an institution’s information security program.
The most recent update to the FFIEC, adds API Security as an important component of an organization’s inventory of information systems and risk management initiatives. This is a major development toward the eventual regulatory mandates including API security.
API Security and Zero Trust
As 2022 passes, another cybersecurity development hit us square between the eyes — the intersection of API security and Zero Trust Security. API data breaches have shined a light on the next evolution of Zero Trust Security.
Namely, you simply can’t have true Zero Trust Security without API Security.
In fact, Traceable has a webinar coming up on this exact topic. You can register here.
Also recently, in November of 2022, the US Department of Defense (DoD) has released its Zero Trust strategy and roadmap. The plan includes more than 100 activities and new capabilities aligned against Zero Trust’s seven pillars, including devices, users, data, networks and environments, applications and workloads, automation and orchestration, and visibility and analytics.
And demonstrating that the DoD has its pulse on emerging industry vulnerabilities, API security is considered in many of the key security activities the agency plans to undertake.
However, to date, APIs have been largely neglected by Zero Trust models. In addition, digital transformation demands and DevSecOps processes at organizations have created new gaps and vulnerabilities attackers can exploit.
The DoD’s heightened focus on API security shines a light on the need for organizations to apply a Zero Trust lens to these problems. A 2021 Dark Reading survey found that 41 percent of organizations treat APIs the same as web applications, only 23 percent have a dedicated process for evaluating API security, and an astonishing 18 percent don’t perform security testing on APIs at all. Clearly, there is work to be done to strengthen API security.
The Bottom Line: It’s About Data Security
While it’s easy to get caught up in the specific solutions, it’s important to remember what this all of this is really about — data security. API security is becoming top of mind for security executives, because the evidence is now overwhelming when it comes to how APIs are being abused, and how much sensitive data is potentially exposed via API.
APIs are closest to the data layer. That means, no cybersecurity or data security initiative is complete without incorporating API Security into those plans.
We encourage security leaders to contact Traceable for a customized demo, where we can show you exactly what sensitive data is coursing through your APIs and what you can do about it.
Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire software development lifecycle. Book a demo today.