Although a blog reported yesterday that T-Mobile was hacked, all the hackers actually seemed to have was a list of T-Mobile server names.
A T-Mobile spokesperson told InternetNews.com in an e-mail, “Following a recent online posting that someone allegedly accessed T-Mobile servers, the company is conducting a thorough investigation and at this time has found no evidence that customer information, or other company information, has been compromised.”
“Reports to the contrary are inaccurate and should be corrected. T-Mobile continues to monitor this situation and as a precaution has taken additional measures to further ensure our customers’ information and our systems are protected. As is our standard practice, customers can be assured if there is any evidence that customer or system information has been compromised, we would inform those affected as quickly as possible,” the spokesperson added.
Security experts are left to guess at what happened.
Some thought that perhaps the hackers got into the network but did not get far. “Hackers have posted a list of servers they allegedly accessed and it is very comprehensive with some sensitive info in it. My guess is that they have been able to get access to the list of servers but not much more,” Amichai Shulman, CTO of data security vendor Imperva, wrote in an e-mail to InternetNews.com.
Others suspected a complete breach.
“Over the weekend, someone anonymously posted to the Full Disclosure security mailing list a claim that confidential documents, scripts and programs from the servers had been compromised and were being put up for sale to the highest bidder,” said a representative of identity management provider ArcSight, adding that software like ArcSight’s would provide some protection against such an intrusion.
“The list of servers that are claimed to have had their data duplicated is too long to be ignored,” said Eric Knight, senior knowledge engineer for log management vendor LogRhythm. “This incident has shown that with modern networks, an intruder could conceivably compromise a large production environment.”
Paul Henry, Lumension’s security and forensic analyst, said the secret service had already been called in on the case, but InternetNews.com was not able to confirm the claim.
Another said that the breach likely occurred in legacy systems.
“There are a lot of misconceptions regarding legacy systems,” said Mike Logan, CEO of data protection specialist Axis Technology. “Many organizations feel that if they leave old, rarely used data on an old system, it’s like tossing unused items in the attic: out of sight, out of mind. But like an attic, all a thief needs to know is where the door is.”
Organizations that try to secure legacy systems often use encryption, which is cumbersome “because the strings of code are often not compatible with newer systems,” said Logan. “So these companies fall into the trap of merely either ignoring it, or only securing their perimeter. But as we’re seeing with T-Mobile, all it takes is getting through the outer layer of security to get access to the valuable data.”
Perhaps the most unusual aspect of the breach is the reported ransom demand. A report by Verizon Business earlier this year said that most breaches take an hour to conduct but a month to discover because thieves no longer post ransom notes. Instead, they sell data on the underground economy.
If there was a breach, it’s possible that the thieves won’t get away with it. “91 percent of all compromised records in 2008 was attributed to organized criminal activity. On the brighter side, we are happy to report that these efforts with law enforcement led to arrests in at least 15 cases (and counting) in 2008,” Verizon’s report concluded.