bit-tech.net

T-Mobile investigates database crack

Published on 9th June 2009 by Gareth Halfacree

T-Mobile is currently investigating an alleged penetration of their system after a cracker offered company data to the highest bidder.

T-Mobile is investigating claims that a cracker has penetrated its corporate databases and stolen personally identifiable information on the company and its customers.

As reported over on CNet, the investigation centres on claims made by an anonymous contributor to the Full Disclosure security mailing list. In the posting, the individual claims to have penetrated T-Mobile's systems and gained illegitimate access to “everything [-] their databases, confidential documents, scripts and programs from their servers, [and] financial documents up to 2009.”

The alleged cracker is, apparently, motivated primarily by greed: claiming to have “already contacted with their competitors and they didn't show interest in buying [the data],” the unknown individual is asking for “serious offers” in an attempt to sell the data to the highest bidder.

In order to offer some form of verification of the claims, the cracker provides a dump of one of the database retrieved – and it certainly appears to be a genuine dump from a mobile phone provider, offering as it does glimpses into “CallerTunes,” “DSPA,” and “Billing eBill.” Somewhat worryingly, the list also appears to contain data for backup and archive servers located within T-Mobiles internal network – servers that are likely to contain entire dumps of all corporate information passing through the company.

T-Mobile has issued a statement which – beyond the traditional “the protection of our customers' information, and the safety and security of our systems, is absolutely paramount at T-Mobile,” disclaimer – states that the company is “fully investigating the matter,” and promises to “inform those affected as soon as possible” should any customer data have been exposed in the alleged attack.

Do you predict a sad end for a cracker brazen enough to post about his exploits on a public mailing list, or is this evidence that tech companies are failing to protect the increasing quantities of personal data they store? Share your thoughts over in the forums.

7 Comments

Discuss in the forums Reply

DarkLord7854 9th June 2009, 15:16

Well, I hope the ******* gets caught and I hope my info is not part of what he stole :(

thehippoz 9th June 2009, 15:21

lol I dunno.. that's pretty ballsy to try and sell it whole like that- I'm sure he'll get offers if it has the right kind of information.. but that's a big risk if he's in the states (I doubt it).. betting russian

p3n 9th June 2009, 19:34

Was reading about this on slashdot, the amerifags in the comments were saying t-mobile cant 'encrypt' the data because of all the police/agency access rules or whatever - still sounds like this guy has been in their system for a while - if its true then some admins are in for a sacking :p

n3mo 10th June 2009, 01:23

Well, this amount of data translates into hundreds of gigabytes, of not terabytes. So either this guy exaggerates a bit or T-Mobile have the worst admins in the world, missing such amounts of data going "somewhere". This could also be done from the inside or by an pissed-off ex-employee, in such cases it would be much harder to spot. Either way, it's a big failure for T-Mobile.

@p3n
Encryption of corporate data is a "grey area" and most companies are still afraid to do it at all. In UK for example all kinds of encryption are technically illegal, legally you can't even use SSH or sFTP, in US encryption is okay but the companies are afraid of being accused of trying to hide the data - that happened several times indifferend cases, judges often fail to understand data encryption and assume it's an attempt to hide evidence.

Gareth Halfacree 10th June 2009, 08:37

Quote:

Originally Posted by n3mo
In UK for example all kinds of encryption are technically illegal, legally you can't even use SSH or sFTP

Are you *absolutely* certainly about that? Because I think you'll find that "HTTPS" (or HTTP over SSL) is encryption, and is sort of at the heart of all Internet commerce - and is even used on government websites.

Last I checked, encryption was perfectly legal in the UK. The Regulation of Investigatory Powers Act (RIPA) requires you to hand over your key on request or face several years in gaol, but it's not the *encryption* that's illegal - it's the refusal to decrypt on demand.

mclean007 10th June 2009, 12:51

Quote:

Originally Posted by Gareth Halfacree
Quote:
Originally Posted by n3mo
In UK for example all kinds of encryption are technically illegal, legally you can't even use SSH or sFTP
Are you *absolutely* certainly about that? Because I think you'll find that "HTTPS" (or HTTP over SSL) is encryption, and is sort of at the heart of all Internet commerce - and is even used on government websites.

Last I checked, encryption was perfectly legal in the UK. The Regulation of Investigatory Powers Act (RIPA) requires you to hand over your key on request or face several years in gaol, but it's not the *encryption* that's illegal - it's the refusal to decrypt on demand.

Gareth - you are absolutely right. Love the use of the archaic spelling of "gaol" btw. Good to see someone flying the flag for good old British English in the face of the scourge of AmericaniZation.

n3mo - with respect, you're talking rubbish.

n3mo 10th June 2009, 13:41

@mclean007
According to this place:
http://rechten.uvt.nl/koops/cryptolaw/cls2.htm#uk
I was partly wrong. While not entirely illegal, the fact that you encrypt something may be an incriminating fact in itself: "the fact of the appellants' knowledge of the keys may itself become an incriminating fact" (§21)
Also, refusal of handing in the keys on demand doesn't fall under the privilege against self-incrimination, not very democratic if you ask me.