T-Mobile USA - Information Security

Information Security

Nicolas Jacobsen was charged with intruding into the company's internal network in January 2005. Reports indicated that for about a year Jacobsen had access to customer passwords, e-mail, address books, Social Security numbers, birth dates, and Sidekick photos. Affected customers included members of the United States Secret Service. Secret Service informant identified Jacobsen as part of "Operation Firewall" which provided evidence that Jacobsen had attempted to sell customer information to others for identity theft. T-Mobile USA and the Secret Service did not elaborate on the methods Jacobsen used to gain access but sources close to the case indicated that Jacobsen exploited an unpatched flaw in the Oracle WebLogic Server application software used by the company. Additional SQL injection vulnerabilities with the company's web site were reported by Jack Koziol of the InfoSec Institute.

T-Mobile offers access to voice mail without the input of a password by default. Parties acting in bad faith may be able to access such voice mailboxes via Caller ID spoofing. To avoid this possibility, T-Mobile recommends that all customers password protect their mailboxes, but still offers the no password configuration by default due to customer demand.

On June 6, 2009, a message posted from an email account "pwnmobile_at_Safe-mail.net" to the Full Disclosure mailing list claimed that the company's network had been breached and showed sample data. The sender offered "databases, confidential documents, scripts and programs from their servers, financial documents up to 2009" to the highest bidder. On June 9, the company issued a statement confirming the breach but stating that customer data was safe. It claimed to have identified the source document for the sample data and believe it was not obtained by hacking. A later statement claimed that there was not any evidence of a breach.