T-Mobile investigates possible security breach

Updated at 2:30 p.m. PST with security source comment.

T-Mobile USA is looking into claims that a hacker has broken into its data bases and stolen customer and company information.

Someone anonymously posted the claims on the security mailing list Full Disclosure on Saturday. In that post, the hacker claims to have gotten access to "everything, their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009."

The poster said he had offered the information to T-Mobile competitors, but they supposedly didn't show any interest. Now he says he is offering the information to the highest bidder.

T-Mobile issued a statement that the company is looking into the matter.

"The protection of our customers' information, and the safety and security of our systems, is absolutely paramount at T-Mobile," the company said. "Regarding the recent claim, we are fully investigating the matter. As is our standard practice, if there is any evidence that customer information has been compromised, we would inform those affected as soon as possible."

Some security experts were skeptical of the claims.

"The way this data has been offered is not the way the Underground Economy usually works," said Steve Santorelli, a former Scotland Yard detective who is director of global outreach at security research firm Team Cymru. "Such a highly public offer certainly tends to suggest that this is a hoax or a scam. Many things don't add up: for example, if you'd spent the time to get all this data, surely you'd have a buyer lined up or at least the connections to discretely find a buyer. Now that 'the cat's out of the bag,' the data is worth significantly less on the open market as T-Mobile will be able to put countermeasures in place such as changing passwords."

Kelly Todd, chief communications officer at the Open Security Foundation, said there wasn't enough information publicly available to determine at this time whether the breach is legitimate or not.

"At initial glance I'd say a list like that could be legitimate," he said. However, "I would have to question their comment that they had contacted T-Mobile competitors...You'd think that in order to cover their tracks they would want to take a different route than to contact the competitors."

T-Mobile has had three prior data breaches recorded on the DataLossdb.org site, which the Open Security Foundation runs. In 2005, a teenager was able to get phone numbers of celebrities who use the service; in 2006 a laptop was reported lost that contained social security numbers and addresses of about 45,000 T-Mobile customers; and in October 2008 a disc was reported lost that contained data on about 17 million T-Mobile customers, according to Todd.

CNET News' Elinor Mills contributed to this report.

[Michichael]

Wouldn't surprise me.

[gerrrg]

I wonder if EPIC will actually mention this?

[globalist_agenda]

Another reason to use pre-paid. You give the carriers your SSN, drivers license, birthdate, address, etc. just to get mobile service to send tweets? Are you nuts? Why don't you just put a sign on your door that says "Steal my stuff."?

[JCPayne]

There is NO reason for Mobile carriers to have social security numbers etc. on Laptops. All they need is to verify your information when you sign up. And retrieve it if you don't pay your bill and they have to cancel your account. The T-Mobile is completely liable here. That info should be on computers not connected to the Internet.

[globalist_agenda]

The pukes at Verizon wanted my SSN when they bought out AT&T wireless. I said hell no. I went with T-Mobile pre-paid and never looked back. Just say NO to corporate oligarchs knowing your life history. They are slime who will sell their mothers for a dime. If the president of Verizon will tell me HIS SSN then I will think about telling him mine.

[gordon_geeko]

Outsourcing can fix everything. They should just hire some hackers to track them down and hire some ex-Navy Seal or Delta Force private military contractors to apprehend them and render them to the nearest CIA interrogation site.

[guvenlik-sistemleri]

Thanks for putting up the information.

<a href="http://www.guvenliksistemleri.info" title="güvenlik sistemi" target=_blank>güvenlik sistemi</a>