Shostack + Friends Blog Archive


Small Bits of T-Mobile

A friend wrote to T-Mobile and asked if his data was compromised in the T-Mobile break-in. A service droid sent him a press release. My comments are pointed to by the brackets.


Please see the press release below regarding the hacker investigation with
T-Mobile’s customer information. If your information was compromised you
would have been notified in early 2004. We have not been made aware of a
single associated problem.

T-Mobile Hacker Investigation (1/12)
T-Mobile’s Role in Hacker Investigation


T-Mobile recognizes that the security of personal information is highly important to its customers. That is why T-Mobile has security procedures in place to protect customer information.[1] Currently, a story is running in the media regarding an investigation into the illegal access of one of T-Mobile’s systems.

When T-Mobile discovered [2] in October 2003 that a hacker broke into one of
its internal computer systems, safeguards were quickly put into place to prevent further access [3] and the Secret Service was immediately notified by T-Mobile of the incident. T-Mobile cooperated with the agency investigation into this criminal act against T-Mobile, which resulted in the arrest and indictment of Nicholas Jacobsen in Oct. 2004.[4] T-Mobile, as a victim of this hacking,[5] is evaluating its remedies against the hacker, as well.

T-Mobile’s own investigation revealed that this unauthorized third party
was able to view the name and social security number of 400 customers. Customer credit card information was not compromised. Following Secret Service clearance to provide notice to customers, T-Mobile notified all affected customers in writing in early 2004. We have not been made aware of a single associated problem.[6]

My comments:

  1. Not very good procedures, mind you.
  2. “Was told about?”
  3. If these safegaurds were in place after October 2003, how did was Jacobsen able to make his offer to sell personal data on MuzzFuzz in March, 2004?
  4. This doesn’t match what Kevin Poulsen reported.
  5. Cry me a river. If T-Mobile didn’t demand this information, it couldn’t have been comprimised.
  6. Well, duh, Why would anyone bother to tell T-Mobile about such a problem? They seem to want to imply that there are no problems, but know they can’t get away with saying that.

4 comments on "Small Bits of T-Mobile"

  • Pete says:

    Lots of inconsistencies, I agree. The point I am intrigued about is the “400” number they came up with. I can think of a handful of possibilities:
    1. Jacobsen had a user account in the system and they are logging everything.
    2. They keep a “last viewed” date in their records and found all records that had been viewed within the offending time period (a period that is hard to tell w/ public info).
    3. They used forensics evidence on Jacobsen’s PC to identify all accounts. This is inconsistent with published reports and probably a bad way to determine the info anyway – lots of ways around it.
    4. They guessed. Doesn’t seem likely, really.

  • adam says:

    My guess is that they didn’t look very hard, found 400, and saw no reason to keep on looking, or that the 400 were found with the secret service and there may be others that they’ve decided they’re “not sure about.”

  • dan says:


  • adam says:

    I don’t know about anyone else, but this fills me with a deep sense of relief and ease. I’d been worried that B1FF was going to be unable to find work after the bubble burst. Apparently, he’s working as a t-mobile spokesperson.

Comments are closed.