Shostack + Friends Blog Archive



A sophisticated computer hacker had access to servers at wireless giant T-Mobile for at least a year, which he used to monitor U.S. Secret Service e-mail, obtain customers’ passwords and Social Security numbers, and download candid photos taken by Sidekick users, including Hollywood celebrities, SecurityFocus has learned.

T-Mobile, which apparently knew of the intrusions by July of last year, has not issued any public warning. Under California’s anti-identity theft law “SB1386,” the company is obliged to notify any California customers of a security breach in which their personally identifiable information is “reasonably believed to have been” compromised. That notification must be made in “the most expedient time possible and without unreasonable delay,” but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.

I expect there to be a lot more of these stories, and the public to become desensitized. Before that happens, be sure to write T-Mobile, if they’re your provider, and ask if your information was compromised. Ask what they’re doing to prevent more such incidents. Ask when they’re going to make pre-pay accounts the same as ones where they risk your personal information. Ask for an answer in writing. Share it with the web!

(From Kevin Poulsen at SecurityFocus, or see Technorati for more blog comments.)