X

T-Mobile investigates possible security breach

An anonymous poster sends a message to the mailing list Full Disclosure claiming to have stolen T-Mobile customer and confidential company information.

Marguerite Reardon Former senior reporter
Marguerite Reardon started as a CNET News reporter in 2004, covering cellphone services, broadband, citywide Wi-Fi, the Net neutrality debate and the consolidation of the phone companies.
Marguerite Reardon
2 min read

Updated at 2:30 p.m. PST with security source comment.

T-Mobile USA is looking into claims that a hacker has broken into its data bases and stolen customer and company information.

Someone anonymously posted the claims on the security mailing list Full Disclosure on Saturday. In that post, the hacker claims to have gotten access to "everything, their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009."

The poster said he had offered the information to T-Mobile competitors, but they supposedly didn't show any interest. Now he says he is offering the information to the highest bidder.

T-Mobile issued a statement that the company is looking into the matter.

"The protection of our customers' information, and the safety and security of our systems, is absolutely paramount at T-Mobile," the company said. "Regarding the recent claim, we are fully investigating the matter. As is our standard practice, if there is any evidence that customer information has been compromised, we would inform those affected as soon as possible."

Some security experts were skeptical of the claims.

"The way this data has been offered is not the way the Underground Economy usually works," said Steve Santorelli, a former Scotland Yard detective who is director of global outreach at security research firm Team Cymru. "Such a highly public offer certainly tends to suggest that this is a hoax or a scam. Many things don't add up: for example, if you'd spent the time to get all this data, surely you'd have a buyer lined up or at least the connections to discretely find a buyer. Now that 'the cat's out of the bag,' the data is worth significantly less on the open market as T-Mobile will be able to put countermeasures in place such as changing passwords."

Kelly Todd, chief communications officer at the Open Security Foundation, said there wasn't enough information publicly available to determine at this time whether the breach is legitimate or not.

"At initial glance I'd say a list like that could be legitimate," he said. However, "I would have to question their comment that they had contacted T-Mobile competitors...You'd think that in order to cover their tracks they would want to take a different route than to contact the competitors."

T-Mobile has had three prior data breaches recorded on the DataLossdb.org site, which the Open Security Foundation runs. In 2005, a teenager was able to get phone numbers of celebrities who use the service; in 2006 a laptop was reported lost that contained social security numbers and addresses of about 45,000 T-Mobile customers; and in October 2008 a disc was reported lost that contained data on about 17 million T-Mobile customers, according to Todd.

CNET News' Elinor Mills contributed to this report.