T-Mobile Data Breach Raises Retail M-Commerce Concerns

As retail IT execs start to experiment with—and actually deploy—mobile-commerce applications more, the realization that they have to rely on their new telecom partners to safeguard their experimental data is proving to be unnerving.

Recent incidents involving T-Mobile—where the carrier was forced to confirm some claims of a supposed cyberthief who said that he had hacked in and stolen databases, documents and scripts—don't help.

As e-tailers have learned the hard way from E-Commerce, customers don't care about tidy legal contracts assigning responsibility and quality-of-service obligations. If they go to a Wal-Mart or a Home Depot site and they have a bad experience—whether it's with uptime, a FedEx delivery hiccup, incorrect status reports, a video consumer comment that glitches or anything else that the retailer may or may not be directly handling—those customers are going to blame Wal-Mart or Home Depot and might take their business elsewhere. If M-Commerce is on your plate, you need to get used to living by the carrier's standards.

The T-Mobile situation is much more than unsettling. It's also baffling, with the public positions taken by both T-Mobile and the supposed intruder internally contradictory. (When a company seems to contradict itself in mid-statement, times are tough. When both entities in a conflict do it, welcome to telecom security discussions. If retail security in a time of PCI is 1984 and Catch-22, telecom security is Alice in Wonderland with major elements borrowed from The Lord of the Rings.)

This T-Mobile business started on Saturday (June 6), when someone identifying himself or herself as pwnmobile posted on the Full Disclosure mailing list that they had grabbed a ton of data from T-Mobile. "Tmobile has been owned for some time. We have everything: their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009," the post said. "We already contacted their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder. Please only serious offers, don't waste our time."

The post then displayed lines of code ostensibly from a T-Mobile server and asked for offers to be made to [email protected], an E-mail address that isn't working now (and it's not clear if it ever was working).

The surprise came this week when T-Mobile took the unusual step of publicly confirming that the posted data had indeed been taken from a secure area of a T-Mobile server. The surprise came this week when T-Mobile took the unusual step of publicly confirming that the posted data had indeed been taken from a secure area of a T-Mobile server. But T-Mobile said it's not a concern because officials there "believe possession of this alone is not enough to cause harm to our customers."

Fair enough. This is implying—appropriately—that if the cyber thief actually had the kind of juicy customer information that he/she implies he/she has, a sample of that would have been posted instead of the relatively innocuous lines of code that was published.

If this was a serious ransom attempt, the seller would certainly have to disclose more details to any prospective buyer so at least a sample might as well be disclosed upfront. (How such a public random offer could work is another mystery, as the seller would almost certainly have to assume that some of the prospective buyers would be undercover Secret Service agents. But that's another issue.)

USA Today had a nice take on another part of the statement. T-Mobile's statement said: "At this moment, we are unable to disclose additional information in order to protect the integrity of the investigation, but customers can be assured if there is any evidence that customer information has been compromised, we would inform those affected as quickly as possible." That prompted USA Today to ask: "If you're a T-Mobile patron, your mind should now be at ease, right? According to T-Mobile, until you otherwise hear from them, you can discount Pwnmobile's claims that he has been pilfering from the T-Mobile's databases 'for some time.'”

But it gets better. T-Mobile then added to its statement, saying that the document was "copied" by Pwnmobile and that the document "did not get into his hands via a hack," according to the USA Today story, which then quotes that same supplemental T-Mobile statement as saying—with a presumed USA Today paraphrase--that T-Mobile's "investigators can't yet say for certain how Pwnmobile got his mitts on a copy of the document."

Wait a second. If T-Mobile doesn't know how this document got out, how can it say with such certainty how it did not get out? On what basis are they ruling out that someone hacked in and grabbed that file? Surely they can't be relying solely on server logs as that's the first thing that an intruder would alter.

It doesn't help that T-Mobile's owner, Deutsche Telekom, confirmed last year a data breach grabbing some 17 million records. Could the file in question have been part of that heist? Do bad security habits run in the family?

For years, T-Mobile has been among the most aggressive telecom companies in the area of tracking customer locations, using technology that has allowed them to pinpoint more precisely and in different ways than others, which might explain why they're such an attractive target.

But no matter how the T-Mobile situation turns out—and please don't rule out the possibility that we'll never officially hear how it turns out—this should be something that all major retailers need to seriously consider as they move into M-Commerce. This isn't to say that they shouldn't make those moves, but that they have to insist that their new partners take data as seriously as they do. (pause) Ok, perhaps I should rephrase that last line.