Recently, The Guardian reported that about 50,000 Australian university students who were using the events app Get were affected by a massive data breach. Personal details of university students involved in clubs and societies around Australia were exposed online.
The Get app was built for university societies and clubs to facilitate payments for events and merchandise. It operates in four countries with 159,000 active users, and 453 clubs using it. And this isn’t the first time the company has had a breach of this kind.
This first came to light when a user on Reddit looked up their own club on the app and consequently got access to other users’ data, including name, email, date of birth, Facebook ID, and phone numbers — all through the company’s search function API. The user stated that they could send requests for data without legitimate access, meaning anyone could request access to the information. In response to the news of the breach, Get posted on its website that it had made a change to prevent that from happening and begun telling organizations about the breach.
With so many APIs, your attack surface might be increasing
This real-life scenario is just one example of an organization without a proper API security system in place to protect the data of its consumers. Like Get, your business is likely taking advantage of APIs to streamline partnerships and streamline growth. But, a growing number of APIs also mean a growing number of security vulnerabilities and your attack surface is potentially increasing. Security threats are rapidly changing, as are the rules and regulations for maintaining your API security. With the emergence of mobile, voice, and applications at the edge, developers need to reconsider the API security landscape. As a digital business, your API security needs to accommodate a variety of application types, allowing access to all authorized users while keeping unrecognized users blocked.
A lack of API security can lead to costly breaches and disruptions that negatively impact your reputation and bottom line. In the case of Get, this is the company’s second security breach, with the first causing the company to do a major rebrand. Not only is it a costly undertaking, but very disruptive for the app’s users.
How you can stay on top of your API security
To protect your organization, you need to extend security practices to focus on attacks specific to APIs, such as API gateways and API authentication. In order to defend against these threats, you need to implement an API security strategy with standards-based access control, deep visibility into API traffic, and threat detection.
Read this whitepaper to hear from API security experts who outline how the API landscape reached its current state, where things are going, how things will continue to shift and evolve for your digital business, and how you can stay on top of your API security.
To learn more about how you can implement a complete API security solution for designing, developing, and securing your organization’s APIs across on-premises, private or public clouds, and hybrid IT environments, read this solution brief.