T-Mobile worker sold 100,000s customer names for 'substantial' amount

Having protested over being named, T-Mobile UK has now admitted to allowing its customer data to be stolen by an employee and sold for a substantial amount to a third party. Latest estimates claim that details of 100,000s of T-Mobile contract customers have been passed to agents or dealers, although pay-as-you-go users are apparently unaffected by the scam.

The company, which is now positioning itself as a victim of the crime, called in the UK Information Commissioner's Office (ICO) after it identified the loss of contract customer data. Christopher Graham, the ICO Commissioner, said that it "appears that the information has been sold on to several brokers and that substantial amounts of money have changed hands". T-Mobile has not provided information on the quantity of data sold, who is involved or what level of money was involved.

However, the company is being lambasted for seemingly having lacked robust data protection processes. Graham Cluley, senior technology consultant at security firm Sophos, said that technology does exist to help intercept and control the movement of personal data inside organisations, "but many firms have still not taken even the most basic steps to halt it dead in its tracks. The cheapness and availability of devices like USB thumb drives has just made it easier than ever to scoop up large databases and waltz out of the office without anyone suspecting a thing."

Mark Fullbrook, European director with Cyber-Ark, the secure collaborative working specialist, said that the T-Mobile data theft case highlighted the problem of rogue employees circumventing data protection systems designed to stop external hackers and electronic attacks. "Almost all data protection systems are designed to stop organisations' data leaking from an external attack. Internal defences are still quite new in terms of their development", he said.

The ICO is also having to defend itself against a growing tide of opinion that it is using the T-Mobile case to push for breaches of data protection law to be punishable with jail sentences, not just fines.

For more on this story:
The Register
and The Guardian

Related stories:
T-Mobile denies hackers stole data
Verizon loses customer data service switch lawsuit
Lost Sidekick mobile data recovered