T-Mobile Confirms Security Breach
T-Mobile has reportedly confirmed that information about its servers posted by hackers on a incident disclosure Web site is authentic, but sensitive information does not appear to have been compromised. "To reaffirm, the protection of our customers' information and the security of our systems is paramount at T-Mobile. Regarding the recent claim on a Web site, we've identified the document from which information was copied, and believe possession of this alone is not enough to cause harm to our customers. We continue to investigate the matter, and have taken additional precautionary measures to further ensure our customers' information and our systems are protected. At this moment, we are unable to disclose additional information in order to protect the integrity of the investigation, but customers can be assured if there is any evidence that customer information has been compromised, we would inform those affected as quickly as possible." On Saturday, unidentified hackers posted a long list of T-Mobile servers on insecure.org and claim to have possession of extensive amounts of T-Mobile technology specifications, operational data and customer records. The hackers said they would provide the data to the highest bidders. Attempts to sell the information to T-Mobile competitors were rejected, they said. While many observers and security analysts question the validity of the claims, and said it would be nearly impossible for hackers to collect terabytes of data unnoticed. However, several people claiming to be former T-Mobile employees submitted posts to the Channel Insider blog stating that the list of servers looked authentic.
>>Early Reports of Massavie T-Mobile Breach
|
Comments (1)
The so called proof is pretty interesting. Having worked in the telco industry for years (although not now), quite a few of those listed assets are what I would expect to find. However, what puts a hole in the creditability of the list is the fact that based on OS versions they either haven't done any patching in at least 4 years or the list is 4 years old.
HP-UX 11.00 - 1997
HP-UX 11.11 - 2000
HP-UX 11.23 - 2003
SunOS 5.8 - 2000
SunOS 5.9 - 2002
SunOS 5.10 - 2005
AIX 5.3 - 2004
Linux 4ES - 2005
Companies the size of T-Mobile that do credit card processing have to be PCI compliant. Part of being compliant is having a policy that enforces routine patching of systems which they have to show proof of; I doubt any PCI auditor would pass them with a list that old. T-mobile would risk losing their PCI compliance or have to pay fines monthly. Granted some of those OSes still have support and some recent patches but I still doubt they haven't deployed any new hardware with OSes in at least 4 years.
My opinion is that the list was legitimate at some time in the past and was purged at the end of its data retention life cycle. The fact that this data however old it may be still finds itself in public domain is scary, but I wouldn't pay for the so called data.
Posted by stronghenge | June 9, 2009 2:29 PM