Shay Levi is the co-founder and CTO of Nameless Securitya leading provider of comprehensive and proactive API security.
While data breaches can be devastating to businesses of any size, imagine the impact on the people whose personal information has been exposed. I checked Thesaurus.com and couldn’t find anything five times worse than the word “devastating”. It is impossible to imagine what it feels like unless you have experienced it yourself.
That’s why companies need to be relentless when it comes to protecting customer data. Of course, that’s easier said than done with the global economy on the brink of recession and inflation. However, this context further justifies why companies need to take cybersecurity seriously.
After reviewing notable flaws from the last year, it doesn’t take long to realize that vulnerable APIs were hackers’ favorite attack vector. As documented in cybersecurity firm Imperva’s “Quantifying the Cost of API Insecurity” report (download), the “average annual cyber loss from APIs in the United States” has reached a staggering $12 billion to $23 billion, which means API security will be critical to your success in 2023 if you’re looking to avoid making headlines this year.
To help you develop a sense of urgency, I’d like to review some notable breaches from 2022 to show how built-in APIs are present in almost everything we do, as well as how indiscriminate these attacks can be. .
With the increasing number of data breaches and scandals, consumer privacy is slowly becoming a thing of the past. The proliferation of smart devices and apps certainly hasn’t helped, given that these tools now collect more data than ever before. Beyond personally identifiable information (PII) such as name, address and credit card numbers, consumer habits and preferences are also stored.
Bad actors are well aware of this reality, which is why organizations with large databases are often the target. As proof, let’s look at the multi-year API security saga on Twitter. In December 2022, the profile data and email addresses of 200 million Twitter users were exfiltrated by hackers. Four months prior, CloudSEK researchers identified 3,207 mobile apps that leaked valid Twitter API keys and secrets. And a month before that, hackers were selling the data of 5.4 million users they had confiscated from an API vulnerability they were exploiting.
Hackers also understand that there are still consumers who communicate through traditional means. Saving you the 16-hour flight from Twitter’s headquarters to Australia, let’s take a look at what happened with the Optus breach. An unauthenticated API allowed hackers to steal sensitive data belonging to the telecom giant’s 10 million customers.
As you can see from these two examples, consumer privacy is not only a matter of the present but also of the future. With technology evolving at such a rapid pace, people will need to be more careful about how and with whom they share their personal data. But businesses will be required to bear the burden of the charge if they plan to retain customers.
When we think about the potential impact data breaches can have on consumers, we typically focus on the financial ramifications. Perhaps hackers are using a stolen credit card to buy expensive luxury items or using compromised credentials to fraudulently transfer funds to offshore accounts. But what about the risk of physical injury?
A team of researchers, led by famed bug bounty hunter Sam Curry, recently discovered critical API flaws in the automotive industry. The list of violators includes world-renowned automakers, such as KIA and Ford.
Unsurprisingly, the team found APIs that exposed sensitive customer data, such as their address, credit card information from sales quotes, and VIN numbers, information with obvious implications for identity theft. However, that was not all they found.
Our new digital age of hyperconnectivity means your vehicle is also a smart device, which also means these exploited API vulnerabilities could expose your vehicle’s location or allow hackers to compromise your vehicle’s remote management system. . This is probably the most alarming detail in this entire article. In the event of a breach in your remote management, cybercriminals would have the ability to unlock your vehicle, start the engine, or even completely disable the starter.
Finally, what about the impact API vulnerabilities can have on your operations? Earlier this month, CircleCI reported that an employee suffered a malware attack in December and advised customers to rotate the project API and personal API tokens. If you’re unfamiliar with the company, over a million developers worldwide use CircleCI’s continuous integration and delivery (CI/CD) platform.
According to CircleCI CTO Rob Zuber, “Because the targeted employee had privileges to generate production access tokens as part of their regular duties, the unauthorized third party was able to access and exfiltrate data to from a subset of databases and stores, including client environment variables, tokens, and keys.”
If your jaw isn’t on the floor right now, let me simplify things for you. The software delivery engine that a million developers use to ship code has been compromised. Customer API keys and secrets have been exposed to hackers since December 16 and were only discovered on January 4 this year.
It is too early to assess the impact this breach has had/will have on CircleCI customers. It’s worth worrying about for customers, though, considering that Zuber also said, “There’s no way [CircleCI] to find out if your secrets have been used for unauthorized access to these third-party systems.” Simply put, this means that if you don’t monitor your APIs, they can’t help you.
Securing APIs in 2023
Ultimately, consumers feel more comfortable knowing their information is safe from hackers. APIs are and will continue to be a lucrative attack vector that hackers can exploit as long as organizations continue to ignore them. The only difference is that the stakes are much higher in this economic climate. Ultimately, if the business world is serious about protecting consumer data from hackers and malicious entities, now is the time to invest in API security.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs, and technology executives. Am I eligible?