T-Mobile confesses guilt over customer data theft

The revelation comes after the Information Commissioners' Office (ICO) went public on the data theft earlier this week, noting that data from "thousands of customers amounting to millions of records" from T-Mobile had been sold for material gain.

The ICO said that it was alerted to the data theft by T-Mobile after it became clear that middlemen had paid for the data which they sold on to other companies.

These companies then used the illegally obtained data to call T-Mobile customers whose contracts were due to expire.

A T-Mobile spokesperson said that the data was sold "without our knowledge" and than an investigation was ongoing,

The situation appears to have been sufficient to require the use of search warrants by the ICO, with interviews being carried out amongst T-Mobile staff.

In a prepared statement, the ICO said: "The existing paltry fines for Section 55 offences are simply not enough to deter people from engaging in this lucrative criminal activity. The threat of jail, not fines, will prove a stronger deterrent".

Reactions to the T-Mobile data theft case from the information security industry has been mixed, but mostly pragmatic, reflecting the fact that large databases handled by large numbers of staff are potentially vulnerable to this type of fraud and data theft.

Steve Moyle, CTO of Secerno, the database security vendor, said that, as the news continues to emerge from T-Mobile, "we know that given the number of records stolen along with the attempted sales to rival firms, we are dealing with a classic insider breach".

"Insiders stealing or tampering with data are not new. The US had a highly publicised case in which two employees of Countrywide Home Loans were prosecuted for illegally downloading and selling customer records", he said.

"What makes this breach different is the large number of potential victims - millions vs. Countrywide's thousands. In the digital age, your data is worth money, and people who are on the inside of the corporate firewall are not immune from theft."

Moyle added that all companies should have policies in place for legitimate and normal database use, with alerts in place for any downloading of multiple records as well as the ability to immediately stop any large number of records from being downloaded to avoid data theft.

Moyle also added his support for a stronger deterrent for data theft, noting that the fines need to match the severity of the crime and to re-enforce the notion that stealing a person's information is a crime.

"These current fine amounts are not enough to do that, and the proof will come from the affected customers, who are likely to agree", he said.

Mark Fullbrook, European director with Cyber-Ark, the secure collaborative working specialist, said that the T-Mobile data theft case highlights the problem of rogue employees circumventing data protection systems designed to stop external hackers and electronic attacks.

"Almost all data protection systems are designed to stop organisation's data leaking from an external attack. Internal defences are still quite new in terms of their development", he said.

"Unfortunately for many organisations, the growth of collaborative working means that, whilst major businesses must share their customer data between large numbers of staff, controlling that data effectively requires a lot of careful planning", he added.

But the situation for end users could have been worse. As Fullbrook said, had the rogue T-Mobile staffer sold the financial details of customers on to an identity thief, there could have been far more serious repercussions and a reputation-destroying story could have unfolded.

"It's likely the mobile phone company will receive a fine from this episode, but hopefully it will act as a wake-up call to the companies concerned about the need to tighten up security on customer data internally", he said.

What’s Hot on Infosecurity Magazine?