View Full Version : US T-Mobile Customer Data Exposed To Hacker For Over One Year
Ed Hansberry
01-12-2005, 09:00 PM
<a href="http://www.securityfocus.com/news/10271">http://www.securityfocus.com/news/10271</a><br /><br /><i>"A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers' passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned."</i><br /><br />I want to take this opportunity and absolve myself of <i><b>any and all</b></i> statements about bluetooth being dead. I understand from a recent "Portals" column in the Wall Street Journal by Lee Gomes that cell phones and wireless headsets basically saved the much maligned and major hassle-to-fool-with wireless {non}standard in the US. Never the less, it was this hacker that had obtained my Pocket PC Thoughts user id and password during one of my many GPRS sessions and was posting all of those "bluetooth is dead" posts in my name. :worried: <br /><br />Ok, nothing to see here. :idontthinkso: Move along. Check your T-Mobile statement for unusual activity.
Vincent M Ferrari
01-12-2005, 09:07 PM
The Secret Service uses T-Mobile!?!
Sorry... Guess I was shocked at the wrong part of the story :mrgreen:
whydidnt
01-12-2005, 09:27 PM
:jawdrop: Holy Cow! Unusual activity on a TMobile statement is probably the least of our worries. The Hacker apparently had access to, and was offering for sale - names, addresses and SSN's. I think it will be a good idea for TMobile customers to keep an eye on their credit report for any unusual activity. There is a lot of potential for identity theft in this story.
I am amazed that TMobile has not issued a statement to it's customers warning them of this possibility.
Pat Logsdon
01-12-2005, 09:34 PM
Just swell. Regarding T-Mobile's lack of communication:
T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning. Under California's anti-identity theft law "SB1386," the company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.
I understand why they didn't say anything previously, but as a T-Mobile customer, I'll be mighty upset if they don't issue a press release within the next few hours.
Another thing that burns me up about this is that the SS is trying to give the little creep a job. Sure, no one knows criminals like another criminal, but that doesn't mean that you have to EMPLOY them. :evil:
szamot
01-12-2005, 09:36 PM
:jawdrop: Holy Cow! Unusual activity on a TMobile statement is probably the least of our worries. The Hacker apparently had access to, and was offering for sale - names, addresses and SSN's. I think it will be a good idea for TMobile customers to keep an eye on their credit report for any unusual activity. There is a lot of potential for identity theft in this story.
I am amazed that TMobile has not issued a statement to it's customers warning them of this possibility.\\
Are you really that amazed? A public announcement by a public company would cost the company millions of dollars, a quiet arrest will save as much if not more in the long run. Make no mistake, T-Moblie consulted their legal team before anything was done. At the end of the day it is always the share price that matters the most not the clients. Also if T-Moblie made a public announcement that would be equivalent to the admission of quilt whereby this way they are playing a victim and I am sure collecting the insurance money one way or another. Now think about things we never actually hear about that take place.
Pat Logsdon
01-12-2005, 09:37 PM
I want to take this opportunity and absolve myself of any and all statements about bluetooth being dead...it was this hacker that had obtained my Pocket PC Thoughts user id and password during one of my many GPRS sessions and was posting all of those "bluetooth is dead" posts in my name. :worried:
Smooth, Ed. :mrgreen: Maybe in future you (or your hacker) could say that Bluetooth is merely resting. Or pining for the fjords, as it were. ;)
marcm
01-12-2005, 09:41 PM
Wow. I don't get why people find it so fun to do this.... I simply couldn't and I'm happy about that. Luckily, I'm a Rogers customer, and I can't even afford the GPRS rates they charge ($25 a month for like 1 or 2MB... 8O) so I'm stuck on WAP. Hopefully the introduction of EV-DO and other wireless technologies in Canada to come soon drive these prices down. Anyways, it looks like that creep did lots of damage... if he had never been detected, he could have done A LOT more too... :(
cubed
01-12-2005, 09:54 PM
Wonderful.....
If anyone sees my ssn number and t-mobile number floating around, will you be so kind as to let me know?
After reading the article, it seems as if our justice system is hard a work again. Instead of throwing the book at the kid, the Secret Service looks like they are going to offer him a cushy office job. :roll:
aristoBrat
01-12-2005, 09:54 PM
If you read the entire article, you'll see that the state of CA legally requires companies to notify customers when an event like this happens, unless a legal agency feels that it will negatively impact the investigation.
My guess is that the Secret Service has asked T-Mobile to be quite about this. I can't think of any other reason that they'd break the CA law.
Depending on how this story was released/leaked, I'd imagine that T-Mobile may still not be able to comment on it.
aristoBrat
01-12-2005, 10:00 PM
After reading the article, it seems as if our justice system is hard a work again. Instead of throwing the book at the kid, the Secret Service looks like they are going to offer him a cushy office job. :roll:
That does sound crazy.
I wonder if they're doing that to "use him" to bust even more people than they would have if they just busted him hard?
[Cruzer]
01-12-2005, 10:17 PM
After reading the article, it seems as if our justice system is hard a work again. Instead of throwing the book at the kid, the Secret Service looks like they are going to offer him a cushy office job. :roll:
That does sound crazy.
I wonder if they're doing that to "use him" to bust even more people than they would have if they just busted him hard?
Its just history repeating it self.... just like in the movie "catch me if you can" Frank Abignale (sp.)
Jon Westfall
01-12-2005, 10:27 PM
Now that we know about this, I believe any t-mobile customer exposed to possible identity theft like this should be compensated. A discount on our bills wouldn't necessarily stop identity theft from happening, but it would stop us from dropping their service like a rock.
davegovols
01-12-2005, 10:32 PM
Wonderful.....
If anyone sees my ssn number and t-mobile number floating around, will you be so kind as to let me know?
After reading the article, it seems as if our justice system is hard a work again. Instead of throwing the book at the kid, the Secret Service looks like they are going to offer him a cushy office job. :roll:
How can you fault the guy. T-mobile's commercials say, " Get More" He was just obliging himself. :lol:
rlobrecht
01-12-2005, 10:47 PM
I wonder if they're doing that to "use him" to bust even more people than they would have if they just busted him hard?
I suspect that is the case. They were able to catch him be using the cooperation of another former cracker, who was feeding the USSS information in exchange for a light sentence.
Vincent M Ferrari
01-12-2005, 11:07 PM
Hey cubed... Why don't you post your SSN and I'll look out for it for you? :-)
whydidnt
01-12-2005, 11:13 PM
I suspect that is the case. They were able to catch him be using the cooperation of another former cracker, who was feeding the USSS information in exchange for a light sentence.
Of course this does make you wonder... If one cracker led to another and they both are getting off light, where does it end...
Does he point them to another, who in return for more information gets off light, etc. etc. This is obviously a huge, unorganized network of people and hopefully somewhere along the someone will be punished appropriately.
LarDude
01-13-2005, 12:39 AM
I am amazed that TMobile has not issued a statement to it's customers warning them of this possibility.
TMobile's response (or lack thereof) is disgusting, in my opinion. I was just about to set up a T-Mobile wifi-hotspot account -- I think I'm going to nix that idea now. They have acted in very "bad faith" and should consider that very angry legitimate customers might respond by going out and buying themselves some nice presents and making bogus claims of stolen credit card numbers due to T-Mobile's security fiasco...not that this is something anyone would advocate :wink:
Jon Westfall
01-13-2005, 01:39 AM
I am amazed that TMobile has not issued a statement to it's customers warning them of this possibility.
TMobile's response (or lack thereof) is disgusting, in my opinion. I was just about to set up a T-Mobile wifi-hotspot account -- I think I'm going to nix that idea now. They have acted in very "bad faith" and should consider that very angry legitimate customers might respond by going out and buying themselves some nice presents and making bogus claims of stolen credit card numbers due to T-Mobile's security fiasco...not that this is something anyone would advocate :wink:
Don't even get me started on "bad faith" of T-Mobile. The last week my 6315 has been suffering from what I KNOW is an internal hardware problem (wifi light comes on but wifi doesn't actually come on, when you try to turn wifi off, the button greys out for a second then turns back on automagically, then the whole unit locks up 3 - 55 minutes later). So here is the summary of events:
1. Wake up Saturday, notice problem has now made phone completely useless. Call T-Mobile. Call drops twice, figure I'll just submit support ticket later.
2. Call T-Mo from landline saturday evening. Get through to someone after spending 15 min. or so on hold (well, I got through to teir 1 on the first 2 min, but after that the hold time to get to "Wireless Data" was abundant). Phone begins to ring after 15 min, and Its picked up by... A FAX MACHINE. Unable to speak modem, I hang up, go online, and submit email.
3. After 3 days of no response (they say 24 hours they'll respond in), I call yesterday from landline. Get disconnected just as I make progress with Teir 2 (this is after 2 other reps, so apparently they have 2 tier 1's. Total hold time: 30 min.
4. Call back, and as they are transferring me to Teir 2, I get the fax line again.
5. Call back, now pressed for time, and am told by rep that their is no way, even by speaking to a manager to avoid the hold times. I tell her this is unacceptable and shows great incompetence. She tells me its not incompetence, its just that they are understaffed. I inform her that not scheduling enough reps is a form of incompetence. I will say its quite amazing how nice these people remain when you speak aggressively - must be years of practice.
6. Finally call back later and get the exchange processed, total hold time on this call: 10 minutes between 3 people.
And after all that, they were nice enough to give me expedited shipping of my replacment unit, after I came out and asked for it for free. Woohoo a $15 value.
Unless you need t-mobiles unlimited internet for work (like me), do NOT go with them - I've seen their customer service go from bad to worse, and their coverage seem to go as well.
LarDude
01-13-2005, 01:49 AM
Unless you need t-mobiles unlimited internet for work (like me), do NOT go with them - I've seen their customer service go from bad to worse, and their coverage seem to go as well.
Wow! Thanks for the tip. Anyone else have any advice/opinions/horror-stories to share? I was specifically interested in subscribing to a wifi-hotspot service which I could use at airports and Starbucks for work-related travel.
PetiteFlower
01-13-2005, 02:13 AM
It's not a cushy office job, it's indentured servitude. He gets a reduced sentence in exchange for cooperation--and to tell the truth, it bothers me less to hear about it with a hacker then when they give the same deal to a mafia lord or a drug dealer, people who actually kill. But he'll be "working" most likely from prison, for no pay. Doesn't sound all that cushy to me.
I seriously hope that the secret service guy got canned though. I mean, how stupid can you be?
alabij
01-13-2005, 05:39 AM
No wonder they've been pushing their special $45.99 for 1000mins and unlimited wknds and nights. This is all to divert attention. I have a feeling they are feeling the heat. Customer service has been clogged up.
aristoBrat
01-13-2005, 07:09 PM
Wow! Thanks for the tip. Anyone else have any advice/opinions/horror-stories to share? I was specifically interested in subscribing to a wifi-hotspot service which I could use at airports and Starbucks for work-related travel.
No T-Mobile CS problems here. I have two personal lines of service with them (family plan) and manage 13 lines of service with them where I work (all PocketPC/BlackBerry).
They're far from being perfect 100% of the time, but did manage to will JD Power's 2004 Best Customer Service (for the wireless industry) award.
Guess we'll see how they do in 2005. :)
aristoBrat
01-13-2005, 07:10 PM
FWIW, this was there response I got from my work T-Mobile account rep:
T-Mobile recognizes that the security of personal information is highly important to its customers. That is why T-Mobile has security procedures in place to protect customer information.
"It is important for our customers to know that protecting their personal information is paramount to T-Mobile," said Bruce Brown, chief information officer, T-Mobile USA, Inc.
When T-Mobile discovered in October 2003 that a hacker broke into one of its internal computer systems, we quickly put into place safeguards to prevent further access and began an investigation.
The Secret Service was immediately notified by T-Mobile of the incident, and we have cooperated with the agency investigation into this criminal act against T-Mobile, which has led to finding the hacker.
T-Mobile's own investigation revealed that an unauthorized third party was able to view the name and social security number of 400 customers. Customer credit card information was not compromised. Following Secret Service clearance to provide notice to customers, T-Mobile notified the affected parties in writing in early 2004 of this incident. We know our customers appreciated the notice, and we have not been made aware of a single associated problem.
Throughout 2004, T-Mobile continued to work with the Secret Service to find the identity of the hacker. A Secret Service agent discovered an unusual incident on his own handset, perpetrated by the same hacker, and reported it to T-Mobile. Presently, we are not aware of any other device being accessed in this manner. Our internal and Secret Service investigations continue, and we will notify any T-Mobile customer if we learn of any compromise of personal information.
T-Mobile worked closely with the Secret Service to identify the hacker, resulting in the arrest and indictment of Nicholas Jacobsen in Oct. 2004. T-Mobile, as a victim of this hacking, is evaluating its remedies against the hacker as well.
"While coordinating our efforts with the Secret Service to ultimately see this hacker arrested is rewarding, the elimination of any opportunity for unauthorized access to our systems has always come first," said Brown. "We continue to monitor for any illegal attempts to access our systems, and to stay one step ahead of those who would try."
vBulletin® v3.8.9, Copyright ©2000-2019, vBulletin Solutions, Inc.