Handheld questions raised in T-Mobile hacking
Seattle Times Technology reporter
An intrusion into T-Mobile USA's computer system, which the Bellevue company acknowledged this week, raises questions about use of unsecured personal devices to gain access to vital information, security experts said.
In T-Mobile's case, the intruder accessed sensitive customer information, including the investigative documents of a U.S. Secret Service agent who occasionally used a personal handheld device in his work. The device stores information on servers at T-Mobile and another company that makes the device.
Mike Simon, chief technology officer of Conjungi Networks, a Seattle security-consulting firm, said he makes sure clients know about the risks associated with handheld devices.
He said some precautions are taken when it comes to data on handhelds, but security can fall through the cracks when the data is being transferred from a handheld to its final resting point.
That leaves a hole for intruders to attack, Simon said.
"We haven't seen a lot of it yet, but my guess is we are going to see a lot more," he said. "Because of the profile of the people carrying these devices, it's not just recipes and innocuous communication; it's executive-level e-mail."
The T-Mobile case dates to October 2003, when the intruder first accessed the T-Mobile server, obtaining the names and Social Security numbers of 400 customers. T-Mobile said it immediately put a stop to this break-in and notified customers.
The following summer, the same intruder accessed the T-Mobile account of Secret Service Agent Peter Cavicchia and viewed documents containing "highly sensitive information" regarding Secret Service criminal cases, according to court documents.
A Secret Service official said Wednesday that it was against policy for Cavicchia to use his personal T-Mobile account for work.
The Secret Service incident led to the indictment last year of Nicholas Lee Jacobsen, 21, in U.S. District Court of the Central District of California.
Jacobsen, arrested in October, was charged with "impairing the integrity" of "a computer system" and causing at least $5,000 in losses during a one-year period. A status conference is scheduled for Feb. 14.
T-Mobile said yesterday it is unaware of any problems among customers associated with the intrusion.
"To our knowledge there have been no repercussions to any of our customers," said Peter Dobrow, a T-Mobile spokesman.
The company said it and the Secret Service are still investigating the second incident to determine whether other customers were affected.
"We are not aware of any other device that was accessed in that manner," Dobrow said. "The hacker had access to very limited information, but it is still under investigation."
In Secret Service agent Cavicchia's situation, he was using a T-Mobile Sidekick, a device that provides voice, e-mail, instant-messaging and Web-browsing capabilities. It stores some information on a server operated by T-Mobile and Danger, the Palo Alto, Calif.-based company that makes the device, according to court documents.
With access to the server, the intruder was able to view Secret Service documents, the court papers said.
Cavicchia resigned from the Secret Service, but he told The Associated Press he was not asked to leave. He said he was cleared during an internal investigation into whether he had improperly revealed sensitive information or violated agency rules.
Bruce Schneier, chief technology officer of Counterpane Internet Security in Mountain View, Calif., said the incident at T-Mobile has prompted people to ask where their information is being stored and who is responsible for it.
"All of your information is owned by someone else," he said. "The T-Mobile hack is an eye-opener. It's your voice mail, but it's on T-Mobile's computers. T-Mobile's security problems affect you."
Tricia Duryee: 206-464-3283 or firstname.lastname@example.org
Copyright © 2005 The Seattle Times Company