T-Mobile UK Employees Sold Customers' Information 65
angry tapir writes "Workers at T-Mobile UK have been selling customer data to brokers who worked for the competition, according to T-Mobile and the UK's Information Commissioner's Office. Criminal charges are being prepared. 'Many thousands' of customers' account details, millions of records, were sold to several brokers for substantial amounts of money, the ICO said. In an announcement (PDF) from the ICO, the agency does not name the operator involved, but T-Mobile acknowledged that it had alerted ICO about the data breach. The BBC reports that after the other mobile operators said they were not the subject of the investigation, T-Mobile confirmed its involvement."
Re:T-Mobile Customer (Score:3, Informative)
I'm not the only one who likes T-Mobile for their customer support. [cnn.com]
Re:Vote with your feet (Score:4, Informative)
I've cancelled direct debits and my contract. Vote with my feet - if they want to be fool enough to sue me for the loss of the contract then they can expect to get countersued for the cost of credit monitoring. Until people start slapping the companies hard by refusing to do business with them this will carry on the UK data protection *laws* are good, but the *penalties* are worthless as a deterrent.
Whom? T-Mobile?
You must be a hit at restaurants. When the waiter gets your order wrong, I'm betting you tell everyone there to not eat at that restaurant again.
It seems to me that T-Mobile did the right thing, and contacted the authorities once they figured out what was going on. You want to punish them for that?
Although, you didn't specify anyone. Perhaps you meant the companies that bought information?
patterns (Score:2, Informative)
Detect abuse (rising to the level of unauthorized access) of access privileges to access a handful of records? Very hard.
Detect abuse of access privileges that constitute unauthorized access to "millions of records"? Very easy. It's all about automatically flagging abnormal or unusual patterns of accesses so that they can be audited to determine if they were authorized (highly unlikely at that volume difference) or unauthorized.
But first the data/system owner has to care about unauthorized access. The DoD and other owners of classified data care. Heck, credit card companies (in the form of their fraud departments) care. Demonstrably T-Mobile UK did not care about unauthorized access.
Re:And why shouldn't they? (Score:5, Informative)
Well in nations that have a government willing to keep telco's in line, like in Australia.
Waiting for the inevitable extremist right wing mod down for suggesting that regulation can actually help the consumer by making sure businesses adhere to the rules.
OK, things aren't perfect here in Australia, but abuse is kept to a minimum as it only takes one phone call to the TIO (Telecommunications Industry Ombudsman) to sort things out if my telco screws me and if the TIO finds merit in my claim the Telco is ordered to pay for the TIO's investigation as well as any punishment that is handed out.
I'm with Three (Hutchinson) here in Oz and apart from the gratuitous advertising which is free (fair enough, I haven't asked them to stop yet) serivce has been adequate, all fees and charges were made known up front and were also itemised on my bill.
Re:Not exclusive to T Mobile (Score:4, Informative)
Re:T-Mobile Customer (Score:5, Informative)
I'm a T-Mobile Customer. I think they did the right thing, coming forward when it was obvious they had a data breach.
Data breach? That was a few months ago when they lost their entire customer database along with credit card numbers. This time they sold their data.
T-Mobile are the worst phone network going. Their coverage sucks, their customer service sucks, they are willing to abuse their own customers to make a few quid. The only thing going for them is the price.
Re:Who bought the stolen records? (Score:4, Informative)
So.. who actually bought the stolen records if T-mobile employees sold them to other operators but no other operators were involved?
Ans: Third party phone retailers (or, at least, their employees). Not the sort that sell SIM-free phones, the sort that act as agents for the networks and mostly sell phones on contract.
At least, that's who I was getting cold-called by when my T-Mobile contract ran out. Of course, they did their best to use weasel words to imply that they were calling from T-Mobile without actually saying so.
I assume that the game was to try and get you to sign a new T-Mobile contract with them as agent, so they would get the commission.
Re:I wonder what celebrities do... (Score:5, Informative)
Interestingly, some of the UK mobile operators have bankers licences and are therefore governed by the FSA (financial services authority). The FSA defines a PEP marker (Politically Exposed Person [wikipedia.org]) on records and these typically have greater sensitivity than the rest and each access is audited. Anyone who thinks they are 'famous' can become a PEP on request - politicians, david beckham's, recognised government officials, company execs are using this device more and more.
Whilst it might seem like a good idea to register yourself as a PEP (e.g. I'm famous on slashdot), it can be a pain in the arse because some banks etc will not send out new credit cards directly to a PEP.
Using alias's is illegal if done incorrectly. Using an alias as a "stage name" is OK for celebs, but not so great for politicians. Also, it's not a great idea to buy a phone contract with an (!deedpoll) alias.