T-Mobile Hacked

SecurityFocus.com just broke a story of a pretty significant breach of T-Mobiles computer systems. Life in the wireless world just got a lot tougher. For users, their comfort and confidence just took a big hit. For those of us who sell wireless, security just moved from the benefit column to the challenges column. The main reason for this level of impact is not because of this incident alone, but due to the implications that it could happen again. It's hard to worry about something that has never happened. It's easier to worry when you can point at even one situation where it did happen.

Even though T-Mobile has not responded to the story yet, I do want to share some of my observations to help put this in a proper perspective. The sky is NOT falling in wireless security. Some plaster has been shaken loose though.

The Bad News: The hacker got names, Social Security Numbers, and birth dates for many customers. The hacker also got pretty deep into the SideKick server. This server relays messages for SideKick users. It also can store on-line copies of the users contact list and calendar if the customer chooses to do so. Here, the hacker got SideKick account passwords, SIM numbers and IMEI's. These are basically serial numbers for the SideKick and the "Subscriber Identity Module" that is in the SideKick. The biggest news is that one of the SideKick users that the hacker monitored was the Secret Service agent tracking the hacker. The hacker also copied some of this agents SideKick e-mails off of the SideKick server. Some press reports make it sound like the hacker pulled them directly off of the SideKick. This is HIGHLY unlikely, and unnecessary since all SideKick e-mails pass through the server that was hacked.

Good News: According to T-Mobile, everyone who's accounts were compromised has already been notified of the breach. If you haven't been notified, you are probably safe. Although the breach of the SideKick server is serious, there is no indication of a breach of the BlackBerry Web Client (BWC). The BWC is a similar server for BlackBerry users and is hosted by RIM. Knowing quite a bit about the security involved with the BWC, it is safe to say that this breach had little, if any, impact on the BlackBerry services. Here is a great reason to choose BlackBerry and a BlackBerry Enterprise Server (BES) over any Web Hosted solution. The BES is a server that the customer hosts themselves, behind their own firewall, and that they have total control over.

My recommendation: If you are a T-Mobile customer, be assured that all indications are that your personal information is safe. That being said, I would recommend that all T-Mobile subscribers who use My T-Mobile or the SideKick services change their account passwords, more for piece of mind than necessity. Besides, it is always a good practice to change passwords periodically anyway.

This is not a pretty situation, but understand that this kind of breech is not unique to your wireless carrier. I know, that is not very reassuring, but the truth is that these same kinds of breeches have occurred with banks, airlines, medical insurance companies, and many other businesses. For those of you directly affected by these events, I understand the tragic impact this can have. For everyone else, understand that this is one of the risks of the information age. For anyone interested in law enforcement, may I recommend cyber-security as a career. This truly is the "wild west" of modern crime and lawlessness.

I'll probably comment more when I see what T-Mobile and others have to say over the next couple days.