T-Mobile confirmed today that its network was indeed hacked, but said it doesn’t believes any of its customer data is at risk and the penetration is not nearly as deep as the purported hackers alleged. The anonymous group claimed to have databases, confidential and financial documents, and computer scripts from the company, which it was trying to sell to the highest bidder. T-Mobile, however, says there’s nothing to sell.
To reaffirm, the protection of our customers’ information and the security of our systems is paramount at T-Mobile. Regarding the recent claim on a Web site, we’ve identified the document from which information was copied, and believe possession of this alone is not enough to cause harm to our customers. We continue to investigate the matter, and have taken additional precautionary measures to further ensure our customers’ information and our systems are protected. At this moment, we are unable to disclose additional information in order to protect the integrity of the investigation, but customers can be assured if there is any evidence that customer information has been compromised, we would inform those affected as quickly as possible.
Susan J. Bahr, a telecom attorney in D.C. that I spoke to, told me that if customer data were involved, “[U]nder the FCC’s rules, T-Mobile may not be allowed to notify its customers until a week or more after it notifies the Secret Service and FBI. So when T-Mobile says it will ‘inform those affected as soon as possible,’ that could happen today, a week from now, a month from now, or later.” That, she said, is what T-Mobile meant when it spoke of protecting the “integrity of the investigation.”
So given that T-Mobile is already making a statement that customer data is safe, it’s likely that the hackers didn’t make it to the really sensitive stuff — luckily for T-Mobile’s customers (of which I’m one) and the company.