Wireless Provider's Servers Accessed

With a plot line right out of Hollywood, a 21-year old hacker had unfettered reign of T-Mobile's 16.3 million customer accounts, including many social security numbers, dates of birth, voice mail PINs and passwords for customers' web access to e-mails, according to government filings in the case. The fourth-largest wireless network operator in the United States was unaware of the breach that had occurred at least a year before.

The unauthorized access came to light only after the hacker began offering customer information and pictures taken by the T-Mobile Sidekick phones. Investigators with the Secret Service noticed the private data for sale during "Operation Firewall," a criminal investigation that netted 28 fraud and computer crime suspects from eight states and six foreign countries. In a twist of irony, the T-Mobile hacker had accessed the Secret Service agent's phone during his investigation of the underground networks. The hacker offered a government informant classified documents accessed from the agent's phone. The documents are described in a Secret Service affidavit as "highly sensitive information pertaining to ongoing USSS criminal cases."

By policy, agents with the secret service are not supposed to access classified e-mail via their personal wireless devices but in this case, a lapse in proper protocol led to a leak in the government's case against the hacker networks. According to an affidavit filed by cyber crime agent Matthew Ferrante, the agency informed the wireless company after the Secret Service discovered the hacker's information offers from T-Mobile in March of 2004. By July, the company discovered that the intruder had indeed accessed their customer databases. T-Mobile could be negligent under California's anti-identity theft law "SB1386" because they've known about the intrusions since July of 2004 but as of yet, has not issued any public warning. The company is obliged to notify any California customers of a security breach in which their personally identifiable information is "reasonably believed to have been" compromised. That notification must be made in "the most expedient time possible and without unreasonable delay," but may be postponed if a law enforcement agency determines that the disclosure would compromise an investigation.

Customer privacy has been compromised and the fourth-largest wireless network operator's reputation has been brought into question. The hacker, Nicolas Jacobsen, then living in Santa Ana, California faces two felony counts of computer intrusion and unauthorized impairment of a protected computer and is awaiting a federal status conference in federal court February 14th. Celebrity users of T-Mobile camera phones, such as Demi Moore, Ashton Kutcher, Nicole Ritchie and Paris Hilton, have had their stolen digital photos posted on the Internet. Jacobsen was arrested with little fanfare on October 27th and secrecy still surrounds the case. A friend of Jacobsen has disclosed that the government may be offering a plea deal in exchange for his work in finding other criminals. So, another hacker becomes a government employee but what about the consumer who is left to question the security of their information in the hands of trusted companies? What steps will organizations take to protect customer data and thereby protect their own reputation?

Home Improvement Chain Targeted by Wardriver

Three men were charged with the intent to steal credit card information from the national computer system of the Lowe's home improvement chain. One of the men, Brian Salcedo, 21, of Whitmore Lake Michigan was sentenced on December 15th, 2004 to nine years in federal prison.

The interesting aspect of this case is that one of the other men, Adam Timmins, became one of the first to be convicted of wardriving. This hacking technique involves driving around with an antenna in search of vulnerable wireless Internet connections. The three hackers tapped into the wireless network of a Lowe’s store in Southfield, Michigan, and then used that connection to access six other stores and the chain's central network in North Wilkesboro, N.C. Once inside, a program was installed to capture credit card information.

"I think the massive amount of potential loss that these defendants could have imposed was astounding, so that's what caused us to seek a substantial sentence against Mr. Salcedo," federal prosecutor Matthew Martens said. The frightening part is that Lowe’s only discovered the breach when the malicious program caused some of their point-of-sale machines to crash.

The trio has been convicted but what about Lowe’s? Shouldn't they have discovered the intruder sooner? The actions by these hackers occurred over a period of time and could have been stopped with the simplest of policies for their wireless Internet connections. If the red flags hadn't appeared from the crashed point-of-sale devices, how many credit card numbers would they have gathered? Privacy-conscious consumers file lawsuits and complaints with the Federal Trade Commission against companies that fail to protect their private data. The penalties are steep. Consider the California law passed in 2003 that applies to any company doing business in the state. Companies that fall short in securing themselves open themselves up to a penalty associated with the cost of notification and the negative impact on image and consumer confidence had they properly disclosed the breach. Private remedies may be sought by consumers, which could include class actions. The statute also states that any "business that violates, proposes to violate, or has violated this title may be enjoined."

Failure to comply with this privacy statute can lead to civil liability damages of up to $2,500 per violation, for a total of up to $500,000 per occurrence. The fine is "irrespective of the amount of damages suffered by the consumer as a result of that violation." There is no limit on the level of damages per occurrence if the violation was known and willful. Additionally, all fines can be doubled in instances where violation results in the identity theft of a consumer. Without the enhanced vigilance of the world's retailers and service providers who store and maintain consumer data, the problems will grow as the pre-teen computer whiz now seeks a place for his ability. The three Lowe’s hackers have become celebrities in the black hat community. Kevin Mitnick is the father of the hacker who gains fame and fortune through his crimes. He spent more than 5 1/2 years behind bars for his exploits, which cost companies millions of dollars by stealing their software and altering computer information. Victims included Motorola, Novell, Nokia and Sun Microsystems. Shouldn't today's companies protect us from these criminals seeking to gain financially or infamously from cyber crime?