How to Protect Personal Data in Today’s API Economy

• The growing reliance on APIs has increased the attack surface, making them a prime target for cyberattackers.

• APIs are a critical component in various industries and are used to facilitate data exchange between systems, but lack of proper security controls has led to a significant increase in API-related security incidents.

• Threat actors are using sophisticated methods to exploit API weaknesses, resulting in severe financial implications, with estimated annual costs of approximately US$87 billion.

• Regulatory frameworks require organizations to implement robust API security measures to protect sensitive data.

• To mitigate API security risks, organizations need to gain visibility into API use and implement real security controls, including access controls, API security tools, and continuous testing.

Although this October has come to a close, the spirit of National Cybersecurity Awareness Month (NCSAM) lives on. For more than 20 years, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has led this annual initiative to educate individuals about pressing cybersecurity threats, such as phishing and identity theft, and to equip them with the knowledge necessary to safeguard their personal information. 

As we put NCSAM behind us, it's essential to remember that cybersecurity is a year-round concern, not just a momentary focus.

Protecting personal information, particularly personally identifiable information (PII) and personal health information (PHI), has become increasingly important. In the last 10 years alone, billions of people have been impacted by major breaches that targeted social media, email, and financial services organizations. 

From identity theft to financial fraud, the consequences of these breaches have been devastating and far-reaching. There are not many people who have never received a breach notification letter in the mail, accompanied by an offer of some kind of free identity monitoring service.

As individuals, we can implement strong security practices such as using multi-factor authentication (MFA), unique and complex passwords, and identity monitoring tools to keep our personal data safe. 

But what happens when our personal information starts moving between systems? Traditional corporate defenses like firewalls, endpoint protection, identity controls, and data loss prevention do a solid job protecting the infrastructure, but that protection only goes so far. 

Once our data leaves that protected infrastructure to move between applications via application programming interfaces (APIs), it’s exposed to a whole new set of risks.

APIs are the connective tissue that make modern apps work. When you’re moving money between bank accounts, applying for a loan, or booking a doctor’s appointment, there is an API behind the scenes that is responsible for querying or storing data. 

API interactions happen between your web browser and the site you’re using, but also between various systems that support the site you’re using. It’s estimated that somewhere between 50% to 75% of web traffic is from APIs.

While most applications sit behind layers of protection, APIs often don’t get the same level of attention. And since threat actors go wherever the defenses are weakest, we’re now seeing more of them shift their focus to target APIs directly.

We’re seeing a sharp uptick in API security incidents, including:

• A 32% jump tied to OWASP API Security Top 10 issues

• A shortening time to exploit APIs — from weeks or days to one day or several hours

That growth tracks directly with the explosion of cloud adoption, microservices, and AI-driven applications. As organizations rely more on APIs to connect systems and accelerate innovation, they’ve also widened their attack surface and attackers have noticed. 

APIs have become one of the most common entry points for modern breaches outside of phishing.

Although APIs have become a critical component in various industries, they expose sensitive data and functionality. Examples of real-world abuse cases include:

• Reservation systems: Rogue agents and compromised users can lead to PII loss, monetary loss, and business disruption.

• Streaming services: Compromised user accounts can result in piracy and PII loss.

• Retail shopping sites: “Resale botters” use automation (bots) to buy up limited items to resell at a markup, leaving real customers empty-handed and causing brand damage.

• Healthcare sites: Compromised user accounts, implementation errors, and insider threats can lead to the exposure of PHI.

• Payment platforms: Compromised merchants and end users can result in PII loss, monetary loss, and money laundering.

Another real-world abuse case involves AI adoption. Many organizations are adopting AI to streamline their business operations without realizing that threat actors can manipulate AI agents to abuse AI agent integrations that happen over APIs.

Some examples of this kind of abuse include when the model takes data from a database, opens a support ticket, or interacts with payment systems. These operations may result in data theft, financial loss, or even model poisoning that can mislead customers or spread misinformation.

As APIs continue to multiply across every part of the tech stack, attackers are evolving right alongside them, using increasingly sophisticated methods to exploit API weaknesses, including:

• Strategic targeting: Using AI tools to identify and analyze specific components in target APIs and craft tailored exploits

• Automated attacks: Automating the attack process to rapidly identify and exploit API security weaknesses

• Volumetric attacks: Overwhelming APIs with traffic and large language model (LLM) tokens to inundate security systems

• Behavioral-based attacks: Analyzing traffic patterns to create low-and-slow attacks that evade detection

The financial implications of API security issues are severe, with current costs estimated at approximately US$87 billion annually. Projections indicate that this figure could exceed US$100 billion by 2026 without adequate intervention. The integration of AI-driven software as a service (SaaS) tools with core platforms via APIs has substantially expanded the attack surface, further exacerbating the financial risks.

Several regulation and compliance frameworks include provisions regarding API security, particularly when APIs handle sensitive data or facilitate critical operations. These include industry standards such as: 

• Payment Card Industry Data Security Standard (PCI DSS)

• General Data Protection Regulation (GDPR)

• Health Insurance Portability and Accountability Act (HIPAA)

• Digital Operational Resilience Act (DORA)

Failing to adhere to these standards can result in hefty fines, reputational damage, and significant impacts to business operations.

To contextualize the growing risk, let’s look at a real-world example. Akamai’s State of the Internet (SOTI) report, State of Apps and API Security 2025: How AI Is Shifting the Digital Terrain, includes an example from the first quarter of 2025.

An ecommerce company faced an API attack that targeted their Short Message Service (SMS) API, which lacked proper authentication. API authentication verifies that whoever’s trying to access an API is actually who they claim to be — making sure that only trusted users or systems can connect and interact with it.

The attackers were able exploit the API using multiple IP addresses and random mobile numbers by inundating the system with 11,057 POST requests, 5,659 of which were successful. As a result of this SMS gateway service abuse, the company incurred massive, unexpected financial charges and their credibility with their clients was damaged.

To mitigate the personal data risks associated with API abuse, organizations need to put real security controls in place that consider people, process, and technology. This means clearly defining which users and systems can access specific resources, and enforcing that policy through proper access controls. 

Processes need to be put in place to review API designs so they are only handling the data that is absolutely required, and so their deployment and retirement are handled carefully — with clear ownership, change control, and oversight. 

It also means using API security tools that provide visibility, posture management, runtime protection, and continuous testing to secure APIs from development through production.

Many organizations struggle with understanding their API exposure, often being unaware of how many APIs they have, which are internet-facing, and what sensitive data types they include. 

Prioritizing the discovery and visibility of APIs is critical, because you cannot protect what you cannot see. It’s also important to stay informed on changes to industry-specific regulations and compliance frameworks, which are increasingly including API visibility and security as key requirements.

With the security of personal data still top of mind after Cybersecurity Awareness Month, take this opportunity to strengthen your organization’s security posture by gaining visibility of your entire API estate. With evolving regulations and increasing AI-driven attacks, there’s never been a more critical moment to get control of your APIs. 

API security is just one piece of the broader cybersecurity puzzle. That’s why Akamai partners with trusted cybersecurity solution providers like GuidePoint Security to help organizations build a stronger, more resilient security stack that protects their data, operations, customers, and reputation.

To learn how GuidePoint Security can help strengthen your API security and protect the personal data moving through your systems, contact us today.