T-Mobile Denies Customer Data Breach

T-Mobile maintained that the data posted to the Full Disclosure Web site Saturday indeed belonged to the company, but said claims that hackers took customer or corporate data were false.

"The document in question has been determined to be a T-Mobile document, though there is no customer information contained in the document," the company said in a statement. "There is no evidence to indicate that the T-Mobile security system was hacked into nor any evidence of a breach."

On Saturday, hackers posted what appeared to be network scans while claiming that they had broken into a T-Mobile database that gave them access to untold numbers of customer accounts and sensitive corporate data.

"We have everything, their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009," the hackers said in an e-mail. However, attempts to contact the hackers at the address in their e-mail -- [email protected] -- resulted in a mail system delivery failure notice.

id

unit-1659132512259

type

Sponsored post

The hackers wrote in the posting that they had attempted to sell the data to the company's competitors but were thwarted when they received no response. The hackers then said that the information would be sold to the highest bidder.

In a statement issued Monday, T-Mobile said that it was continuing to investigate the alleged hack, while maintaining that "the possession of this [posted file log data] alone is not enough to cause harm to our customers."

Despite the fact that the hackers' allegations appear to be false, security experts say that often, major telecom carriers such as T-Mobile suffer data breaches, as they rely on antiquated legacy systems that are difficult to secure.

Mike Logan, president of data security and IT consulting company Axis Technology, said that frequently, enterprise companies feel they are safe if they upgrade and secure some new areas, but leave others alone, believing that at-rest data is not a target for cybercriminals.

One possible solution would be for companies to "mask" sensitive data with fictitious or "fake" information, Logan said.

"If data is stolen, masked data is useless to a thief because it is out of context with no way to utilize it outside of the environment," Logan said via e-mail. "So for example, if someone hacks into a database, loses a laptop or loses a box of printouts, the data is entirely safe, and unlike with encryption, the missing data does not need to be reported."

Meanwhile, Logan added that enterprise companies will continue to face increased extortion or ransom attempts.

"Thieves seem to be weighing two things -- the value of individual records to organized crime rings, which have been known to purchase records at a dollar apiece. In large volumes, that's a major payday," Logan said. "On the other hand, what is it worth to the organization who experienced the loss to prevent that from happening?"