{"id":7912,"date":"2023-09-28T15:24:13","date_gmt":"2023-09-28T14:24:13","guid":{"rendered":"https:\/\/amtivo.com\/uk\/standards\/\/\/api-security-data-breach-risk\/"},"modified":"2025-12-15T16:17:58","modified_gmt":"2025-12-15T16:17:58","slug":"api-security-data-breach-risk","status":"publish","type":"standard-post-filter","link":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/api-security-data-breach-risk\/","title":{"rendered":"API Security Is a Data Breach Risk Organisations Ignore at Their Peril"},"content":{"rendered":"<p><em>Recently, a less obvious issue that is starting to get more attention is the vulnerability of Application Programming Interfaces (API). Although not at the top of most CISOs&#8217; to-do lists that might be the point; securing APIs is still a topic many organisations don\u2019t think deeply about until it is too late.<\/em><\/p>\r\n<h2>APIs Are Everywhere<\/h2>\r\n<p>Web traffic is usually thought of as traffic between a web application or website and a human being. In fact, according to a 2019 estimate from Akamai, <a href=\"https:\/\/www.akamai.com\/newsroom\/press-release\/state-of-the-internet-security-retail-attacks-and-api-traffic\" target=\"_blank\" rel=\"noopener\">up to 83%<\/a> of this traffic is to and from APIs, a second layer of software on which websites and applications depend. \u00a0This is overwhelmingly machine-to-machine communication that happens invisibly in the background.<\/p>\r\n<p>The rise in API traffic is a consequence of the way these have become a critical part of the digital landscape. Even smaller businesses probably depend on dozens, while in enterprises it can run to hundreds or even thousands at a time. Some are internal APIs, developed in-house, while many others are from external sources, used to enable and draw data from a wide range of data services.<\/p>\r\n<p>Cyber criminals have tracked the importance of APIs, resulting in a growing number of attacks in which they have featured in the attack chain. According to Akamai, cyber attacks targeting APIs <a href=\"https:\/\/c212.net\/c\/link\/?t=0&amp;l=en&amp;o=3838679-1&amp;h=1875697885&amp;u=https%3A%2F%2Fwww.akamai.com%2Flp%2Fsoti%2Fslipping-through-the-security-gaps-the-rise-of-application-and-api-attacks&amp;a=Slipping+through+the\" target=\"_blank\" rel=\"noopener\">grew 137% in 2022<\/a>. Examples include:<\/p>\r\n<ul>\r\n\t<li>A <a href=\"https:\/\/www.bbc.co.uk\/news\/business-57841239\" target=\"_blank\" rel=\"noopener\">2021 LinkedIn API flaw<\/a> exposed the data of 700 million users to web scraping.<\/li>\r\n\t<li><a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/54-million-twitter-users-stolen-data-leaked-online-more-shared-privately\/\" target=\"_blank\" rel=\"noopener\">A Twitter API<\/a> weakness compromising the data of 5.4 million people.<\/li>\r\n\t<li>A <a href=\"https:\/\/www.reuters.com\/technology\/australias-optus-says-up-10-mln-customers-caught-cyber-attack-2022-09-23\/\" target=\"_blank\" rel=\"noopener\">2022 attack<\/a> on Australian telecom company, Optus breached the personal data of almost 10 million customers.<\/li>\r\n<\/ul>\r\n<p>The Optus incident is revealing. First, it seems that the API was working correctly, and the breach wasn\u2019t a conventional hack at all \u2013 the company simply left the data exposed through the API. Second, the data loss led to Optus being extorted. Most organisations fear extortion after a conventional ransomware attack. The Optus breach showed how APIs could be a simple back door to achieve the same end.<\/p>\r\n<h2>What Is an API?<\/h2>\r\n<p>For many years, APIs were programming shortcuts that made it easier for application developers to interact with things like operating systems, for example, the various Windows APIs. Programmers didn\u2019t need to know anything about the underlying hardware and could instead use a Windows API call to do the hard work.<\/p>\r\n<p>The arrival of e-commerce in the early 2000s changed this forever as APIs became a way to access data too. The pioneers were Salesforce and Amazon but soon many others were using APIs to sell access to data. A famous example is Google Maps, a huge mapping database that many organisations license for use inside their own apps through an API.<\/p>\r\n<p>This shows how APIs operate as standardised interfaces that make it easier to connect an application to something proprietary such as a database. But it stands to reason that if you\u2019re making it easy to connect to data this becomes vulnerable should the API have a weakness that allows unauthorised access.<\/p>\r\n<h2>An Invisible Problem<\/h2>\r\n<p>According to the <a href=\"https:\/\/owasp.org\/API-Security\/editions\/2023\/en\/0x11-t10\/\" target=\"_blank\" rel=\"noopener\">recently updated list<\/a> of common API weaknesses tracked by OWASP, many of the vulnerabilities afflicting APIs are similar to those affecting conventional web applications. For example, number two on the list is \u2018broken authentication\u2019 which relates to things like brute force and credential-stuffing attacks through the API.<\/p>\r\n<p>In many cases, organisations don\u2019t even know they are using a vulnerable API. This can happen for a variety of reasons, starting with the sheer number of APIs. When organisations used small numbers of APIs, keeping on top of them was easy; when that rose to hundreds, the management task multiplied beyond the capability of their tools and teams to keep pace.<\/p>\r\n<p>As with any software, the APIs also keep changing, which results in new vulnerabilities. Third-party APIs only compound this. A developer incorporated an API inside an application but forgot to document it. The result? The whole problem of shadow APIs can eventually turn into zombies, namely APIs that are no longer being updated.<\/p>\r\n<p>A final problem is that many API issues involve the exploitation of legitimate but poorly designed API functions, or where an API has been left in an exposed state (for example, without correct authentication) by accident.<\/p>\r\n<h2>Is There a Solution?<\/h2>\r\n<p>There is a tendency to see API security as something only larger companies need to worry about. In fact, any organisation using APIs is at risk, including SMBs. Today, organisations typically protect their APIs with a mixture of web application firewalls (WAFs) API service gateways, or some form of access or authentication control. The catch is that these systems weren\u2019t developed for API security and often lack the features needed to protect and manage them.<\/p>\r\n<p>A priority for any organisation should be to conduct some kind of audit of which APIs they are using, including undocumented ones. \u00a0Short of buying a dedicated API tool, this can be a big job on an ongoing basis. Meanwhile, many API issues occur at a third-party developer level, which is almost impossible for a small organisation to detect. Unfortunately, this means that there is no easy API security fix, which probably explains why the issue has persisted.<\/p>\r\n<p>A note of hope is that more sophisticated API detection, management and security is finding its way into mainstream security tools such as e-commerce gateways used by smaller organisations. One way to access this technology is through managed service providers (MSPs) offering API security as part of their service.<\/p>","protected":false},"excerpt":{"rendered":"API security is paramount in safeguarding against data breaches. Learn how to fortify your defenses against potential threats in our guide.","protected":false},"author":24,"featured_media":7413,"template":"","meta":{"_acf_changed":false,"_searchwp_excluded":"","footnotes":""},"standard-post-categories":[31],"standard-post-tags":[91],"class_list":["post-7912","standard-post-filter","type-standard-post-filter","status-publish","has-post-thumbnail","hentry","standard-post-categories-insights","standard-post-tags-iso-27001"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.2 (Yoast SEO v27.2) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>API data breaches risk organisational security<\/title>\n<meta name=\"description\" content=\"Our article explores what the most important cyber security issues are that organisations should pay attention to in 2023.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/api-security-data-breach-risk\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"API Security Is a Data Breach Risk Organisations Ignore at Their Peril\" \/>\n<meta property=\"og:description\" content=\"Our article explores what the most important cyber security issues are that organisations should pay attention to in 2023.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/api-security-data-breach-risk\/\" \/>\n<meta property=\"og:site_name\" content=\"Amtivo UK\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-15T16:17:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/API-security-is-a-data-breach-risk-organisations-ignore-at-their-peril-.png\" \/>\n\t<meta property=\"og:image:width\" content=\"600\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/04\/testimonialImage-placeholder.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"API data breaches risk organisational security","description":"Our article explores what the most important cyber security issues are that organisations should pay attention to in 2023.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/api-security-data-breach-risk\/","og_locale":"en_GB","og_type":"article","og_title":"API Security Is a Data Breach Risk Organisations Ignore at Their Peril","og_description":"Our article explores what the most important cyber security issues are that organisations should pay attention to in 2023.","og_url":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/api-security-data-breach-risk\/","og_site_name":"Amtivo UK","article_modified_time":"2025-12-15T16:17:58+00:00","og_image":[{"width":600,"height":400,"url":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/API-security-is-a-data-breach-risk-organisations-ignore-at-their-peril-.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_image":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/04\/testimonialImage-placeholder.jpg","twitter_misc":{"Estimated reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/api-security-data-breach-risk\/","url":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/api-security-data-breach-risk\/","name":"API data breaches risk organisational security","isPartOf":{"@id":"https:\/\/amtivo.com\/uk\/#website"},"primaryImageOfPage":{"@id":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/api-security-data-breach-risk\/#primaryimage"},"image":{"@id":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/api-security-data-breach-risk\/#primaryimage"},"thumbnailUrl":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/API-security-is-a-data-breach-risk-organisations-ignore-at-their-peril-.png","datePublished":"2023-09-28T14:24:13+00:00","dateModified":"2025-12-15T16:17:58+00:00","description":"Our article explores what the most important cyber security issues are that organisations should pay attention to in 2023.","breadcrumb":{"@id":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/api-security-data-breach-risk\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/api-security-data-breach-risk\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/api-security-data-breach-risk\/#primaryimage","url":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/API-security-is-a-data-breach-risk-organisations-ignore-at-their-peril-.png","contentUrl":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/API-security-is-a-data-breach-risk-organisations-ignore-at-their-peril-.png","width":600,"height":400,"caption":"API security is a data breach risk organisations ignore at their peril"},{"@type":"BreadcrumbList","@id":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/insights\/api-security-data-breach-risk\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/amtivo.com\/uk\/"},{"@type":"ListItem","position":2,"name":"Standards","item":"https:\/\/amtivo.com\/uk\/standards\/"},{"@type":"ListItem","position":3,"name":"ISO 27001","item":"https:\/\/amtivo.com\/uk\/standards\/iso-27001\/"},{"@type":"ListItem","position":4,"name":"Insights","item":"https:\/\/amtivo.com\/uk\/standards\/insights\/"},{"@type":"ListItem","position":5,"name":"API Security Is a Data Breach Risk Organisations Ignore at Their Peril"}]},{"@type":"WebSite","@id":"https:\/\/amtivo.com\/uk\/#website","url":"https:\/\/amtivo.com\/uk\/","name":"Amtivo","description":"","publisher":{"@id":"https:\/\/amtivo.com\/uk\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/amtivo.com\/uk\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/amtivo.com\/uk\/#organization","name":"Amtivo","url":"https:\/\/amtivo.com\/uk\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/amtivo.com\/uk\/#\/schema\/logo\/image\/","url":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/cropped-BAB-Amtivo-Joint-Logo-Updated-300ppi.png","contentUrl":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2025\/10\/cropped-BAB-Amtivo-Joint-Logo-Updated-300ppi.png","width":371,"height":203,"caption":"Amtivo"},"image":{"@id":"https:\/\/amtivo.com\/uk\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-filter\/7912","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-filter"}],"about":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/types\/standard-post-filter"}],"author":[{"embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/users\/24"}],"version-history":[{"count":1,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-filter\/7912\/revisions"}],"predecessor-version":[{"id":7930,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-filter\/7912\/revisions\/7930"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/media\/7413"}],"wp:attachment":[{"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/media?parent=7912"}],"wp:term":[{"taxonomy":"standard-post-categories","embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-categories?post=7912"},{"taxonomy":"standard-post-tags","embeddable":true,"href":"https:\/\/amtivo.com\/uk\/wp-json\/wp\/v2\/standard-post-tags?post=7912"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}