What can be done to prevent a similar incident?

To properly hide information that should not have been exposed through the API, such as private account details, the application code implementing the API itself should have been changed rather than simply configuring the API. This would require an understanding of how data is being passed between different parts of a system and then applying security controls accordingly
https://t.co/OdZdNUaPme