The revelation comes after the Information Commissioners' Office (ICO) went public on the data theft earlier this week, noting that data from "thousands of customers amounting to millions of records" from T-Mobile had been sold for material gain.
The ICO said that it was alerted to the data theft by T-Mobile after it became clear that middlemen had paid for the data which they sold on to other companies.
These companies then used the illegally obtained data to call T-Mobile customers whose contracts were due to expire.
A T-Mobile spokesperson said that the data was sold "without our knowledge" and than an investigation was ongoing,
The situation appears to have been sufficient to require the use of search warrants by the ICO, with interviews being carried out amongst T-Mobile staff.
In a prepared statement, the ICO said: "The existing paltry fines for Section 55 offences are simply not enough to deter people from engaging in this lucrative criminal activity. The threat of jail, not fines, will prove a stronger deterrent".
Reactions to the T-Mobile data theft case from the information security industry has been mixed, but mostly pragmatic, reflecting the fact that large databases handled by large numbers of staff are potentially vulnerable to this type of fraud and data theft.
Steve Moyle, CTO of Secerno, the database security vendor, said that, as the news continues to emerge from T-Mobile, "we know that given the number of records stolen along with the attempted sales to rival firms, we are dealing with a classic insider breach".
"Insiders stealing or tampering with data are not new. The US had a highly publicised case in which two employees of Countrywide Home Loans were prosecuted for illegally downloading and selling customer records", he said.
"What makes this breach different is the large number of potential victims - millions vs. Countrywide's thousands. In the digital age, your data is worth money, and people who are on the inside of the corporate firewall are not immune from theft."
Moyle added that all companies should have policies in place for legitimate and normal database use, with alerts in place for any downloading of multiple records as well as the ability to immediately stop any large number of records from being downloaded to avoid data theft.
Moyle also added his support for a stronger deterrent for data theft, noting that the fines need to match the severity of the crime and to re-enforce the notion that stealing a person's information is a crime.
"These current fine amounts are not enough to do that, and the proof will come from the affected customers, who are likely to agree", he said.
Mark Fullbrook, European director with Cyber-Ark, the secure collaborative working specialist, said that the T-Mobile data theft case highlights the problem of rogue employees circumventing data protection systems designed to stop external hackers and electronic attacks.
"Almost all data protection systems are designed to stop organisation's data leaking from an external attack. Internal defences are still quite new in terms of their development", he said.
"Unfortunately for many organisations, the growth of collaborative working means that, whilst major businesses must share their customer data between large numbers of staff, controlling that data effectively requires a lot of careful planning", he added.
But the situation for end users could have been worse. As Fullbrook said, had the rogue T-Mobile staffer sold the financial details of customers on to an identity thief, there could have been far more serious repercussions and a reputation-destroying story could have unfolded.
"It's likely the mobile phone company will receive a fine from this episode, but hopefully it will act as a wake-up call to the companies concerned about the need to tighten up security on customer data internally", he said.
20 November 2009
This breach is a reminder that organizations should be proactively reviewing employees data privileges to ensure that they only have access to the information that is required to perform their duties. In addition, having database activity monitoring solutions in place will allow companies to monitor sensitive data and issue immediate alerts if inappropriate access occurs.
Thom VanHorn, VP of Global Marketing, Application Security, Inc.
19 November 2009
Indeed - a significant lesson in multinational company security. I suspect that, as communication services become ever more commodotised and profit margins reduce, we're going to see more divisions of multinationals outside of their home/headquarter countries hit by rogue employee data leakages like this one. As the ICO office says - the paltry fines are no longer enough.
Steve Gold, Technical Editor, Infosecurity.
19 November 2009
I started work for T-Mobile last year and it soon becamse apparent to me that they had massive holes in their IT security - enough to drive a coach and horses through. They had no IT Security Manager in place or anybody seemingly in control. I offered to tell them how people could steal their confidential data, but they completely ignored me. Guess you reap what you sow, eh?
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.