The Weekly Breach Breakdown: API Attacks Become More Common as Software Grows in Popularity

• Application Programming Interfaces (APIs), software that allows two different applications to talk to each other and work together, is becoming more popular. Its use is up 61 percent in 2020 over 2019. However, so are API attacks – a 211 percent rise in 2020.
• API flaws are at the root of the SolarWinds and Microsoft attacks and the Peloton data breach. API attacks also led to personal information from Facebook and LinkedIn being scraped.
• To prevent API attacks, businesses with their own API developers should implement stronger testing protocols and security. Businesses that hire API development companies should insist on the highest level of testing and security. Consumers are encouraged to ask organizations they do business with how they protect personal information.
• To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.
• For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org. Coming later this month, people can talk after-hours, weekends and on holidays with our new automated chatbot, ViViAN.

Alphabet Soup

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for June 4, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week we are going to talk about an emerging threat to data security. By default, it’s personal information that most people are unaware even exists. It’s part of the alphabet soup of tech terms that can seem like a cure for insomnia.

Application Program Interfaces (APIs)

We are talking about API attacks. In fact, some of the biggest security events of 2020 and 2021 resulted from these kinds of attacks. So, what is an API, and how can it cause so much trouble?

API is short for Application Programming Interface. In English, that means the software that allows two different applications to talk to each other and work together. Think of when someone goes to a travel website to see which airline has the lowest price and best schedule for their vacation. It’s an API that connects the travel site to the airline’s system to get them the information they need. One may never see or interact with an API, but it’s there working in the background.

APIs Are Growing in Popularity

There’s nothing particularly complex about most APIs, which means they are not subjected to many of the rigorous testing protocols required for other software. Meanwhile, the use of APIs is growing – 61 percent in 2020 over 2019, and the growth rate in 2021 is projected to be 71 percent, according to trade publication Dev Ops Digest. Compare that to the growth in malicious API transactions in 2020 – a 211 percent increase.

API Flaws Becoming More Common in Security and Data Breaches

With poor software testing practices and a rapid development pace, flaws in APIs are climbing up the list of underlying causes of data and security breaches. Consider some recent research findings from API security firm SALT:

• Ninety-one (91) percent of respondents suffered a security incident in their APIs in 2020.
• Fifty-four (54) percent of those API attacks were tied to software flaws; 46 percent of the attacks succeeded because a malicious transaction was recognized as being legitimate.
• Eighty-two (82) percent of organizations lack confidence in knowing which APIs expose personal information.
• One hundred (100) percent of Salt Security’s customers that suffered API attacks in 2020 had standard cybersecurity tools like web application firewalls in place, but they did not prevent the attack.

API flaws are at the root of the SolarWinds and Microsoft attacks and the Peloton data breach. APIs were also exploited to scrape personal information from Facebook and LinkedIn.

How Can Businesses and Consumers Protect Themselves from API Attacks?

What can be done to minimize the risk of API attacks? Businesses that have their own API developers need to implement stronger testing protocols and security. Businesses that hire API development companies should insist on the highest level of testing and security.

Consumers should ask organizations with whom they do business how they protect personal information, including their cybersecurity and data protection programs.

Contact the ITRC

If anyone has questions about keeping their personal information secure, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST). On June 4, people can talk after-hours, weekends and holidays with our new automated chatbot, ViViAN. Just visit www.idtheftcenter.org to get started.

Be sure to check out our sister podcast, The Fraudian Slip. We will be back next week with another episode of the Weekly Breach Breakdown.