Only serious offers will be considered, it says. “Don’t waste our time.”
An apparent group of hackers posted an alert on Insecure.org on Saturday claiming responsibility for what would be a massive security breach at T-Mobile. The threat states that the group contacted T-Mobile’s competitors, but the companies didn’t show interest in buying the data, so it is now for sale to the highest bidder. The subject of the auction is described as “databases, confidental [sic] documents, scripts and programs from their servers, financial documents up to 2009.”
The post includes a list of servers as proof of the break-in that looks as if it was pasted from a spreadsheet (notice the familiar Excel “#N/A”). The servers also do have real operating systems and real-looking IP addresses, but there is nothing yet to confirm that this is a true breach and T-Mobile has not made a press release on their web site.
The list could have been composed by a dedicated forger, or could be from any large company, but aspects of it look legitimate or very well thought out. The location for many of the servers is “Bothell” where T-Mobile has a data center in Washington State. It also makes reference to the T-Mobile product CallerTunes, and several conceivable business partners like Oracle Identity Management, Teradata, and SAP. (Some Googling of random sections of it at least prove that it wasn’t lifted wholesale from another Google-indexed site.)
Of course, only T-Mobile can confirm that the information is theirs. All we can say for now is that the post took a lot of work of some kind, and the hacker’s grammar is not terrible.
Stay tuned for any T-Mobile reaction and further developments.
UPDATE: I asked T-Mobile Public Relations for a comment on the matter and they replied:
“The protection of our customers’ information, and the safety and security of our systems, is absolutely paramount at T-Mobile. Regarding the recent claim, we are fully investigating the matter. As is our standard practice, if there is any evidence that customer information has been compromised, we would inform those affected as soon as possible.”
UPDATE: Confirmed. T-Mobile has identified the document but doesn’t think there’s much of a threat to customers.
“To reaffirm, the protection of our customers’ information and the security of our systems is paramount at T-Mobile. Regarding the recent claim on a Web site, we’ve identified the document from which information was copied, and believe possession of this alone is not enough to cause harm to our customers. We continue to investigate the matter, and have taken additional precautionary measures to further ensure our customers’ information and our systems are protected. At this moment, we are unable to disclose additional information in order to protect the integrity of the investigation, but customers can be assured if there is any evidence that customer information has been compromised, we would inform those affected as quickly as possible.”
UPDATE: The company now says that no customer or company data was “compromised.” For those of you who’ve only heard this word in action movies (I’m included) here’s the definition I think they’re referring to: “to reveal or expose to an unauthorized person and especially to an enemy.” In other words, “that wasn’t our spreadsheet after all.”
“Following a recent online posting that someone allegedly accessed T-Mobile servers, the company is conducting a thorough investigation and at this time has found no evidence that customer information, or other company information, has been compromised. Reports to the contrary are inaccurate and should be corrected. T-Mobile continues to monitor this situation and as a precaution has taken additional measures to further ensure our customers’ information and our systems are protected. As is our standard practice, customers can be assured if there is any evidence that customer or system information has been compromised, we would inform those affected as quickly as possible.”
UPDATE: The New York Times thinks those were file names in the hacker’s post. File names don’t have IP addresses all to themselves generally, and it’s not that important what operating system the file is “on.” Also, we don’t really bother to write down what city the file is in.
The post also included a list of apparent file names to [sic] as proof of the breach.
The sic is mine. That’s right. I sic-ed the New York Times.