T-Mobile UK Employees Sold Customers' Information

angry tapir writes "Workers at T-Mobile UK have been selling customer data to brokers who worked for the competition, according to T-Mobile and the UK's Information Commissioner's Office. Criminal charges are being prepared. 'Many thousands' of customers' account details, millions of records, were sold to several brokers for substantial amounts of money, the ICO said. In an announcement (PDF) from the ICO, the agency does not name the operator involved, but T-Mobile acknowledged that it had alerted ICO about the data breach. The BBC reports that after the other mobile operators said they were not the subject of the investigation, T-Mobile confirmed its involvement."

T-Mobile Customer

[dch24]

I'm a T-Mobile Customer. I think they did the right thing, coming forward when it was obvious they had a data breach.

I like T-Mobile, especially because they have great customer support. I have a friend who got overbilled by a lot, and decided to settle instead of going to court over it. My experience with the company though has been pretty good. I'm staying with them.

Re:T-Mobile Customer

[fuzzyfuzzyfungus]

-1 Stockholm Syndrome.

"But the ETF is so high becomes he loves me..."

Re:

[dch24]

Ha ha. If only I were an AT&T customer ...

I'm not the only one who likes T-Mobile for their customer support. [cnn.com]

Re:

[Rasperin]

lern2lernCodeStandards if(CellProvider.CONTRACT_REQUIRED){ cellCorp = CellProvider.EVIL; }else{ cellCorp = CellProvider.ETHICAL; } Classes have the initial letter capital, variables have their initial letter lower, and constants tends to be all caps or follow the same rules of regular variables (depends on who you talk to).~!

Re:

[NoYob]

It's old school C++

EVIL and GOOD were

static int EVIL = 1;

and

static int GOOD = 0;

REALLY old guys from the K&R C Days would have done this

#define EVIL 1

#define GOOD 0

You youngin's and you're wipper snapper managed OOP langauges ....

Actually, I like them myself. I'm learning to really like C#. Managed C++, though, is a spawn of Satan.

Re:

[breadstic]

Are you a TMobile UK (or US or Germany or wherever else TMobile do business) customer?

I'm a TMobile UK customer (because I wanted the G1), and my personally customer support experiences with them have been pretty terrible. They refused to pause my contract when I came traveling (whereas other UK telecommunications companies will do so), they lowered the price of the contract a week after I bought my G1 and wouldn't let me downgrade to the lower tariff and every time I talk to them, they just seem unwilling

Re:

[vosester]

I have a friend who got overbilled by a lot, and decided to settle instead of going to court over it.

Thats my main problem with mobile network operators they are the biggest money grabbing bastards to walk the planet. The amount of times I have had to go to small clams court for clients because of unfair charges is a joke (all tho T-mobile are best in this respect).

I am jobless at the moment so bills are piling up and I have not paid my broadband (virgin media) for three months, so they cut me off, rang up paid off a month and I was back up with the hour.

With O2 I missed one payment two weeks later I was b

Re:

[tomtomtom]

This is the last time, That I am going on an 18 month contract, Form now on it’s monthly rolling contract and I will pay for the phone out of pocket, It might cost me more in the long run,

I suspect actually it will be the opposite. I started doing this about the time that 18-month contracts became the norm and I've been able to reduce the amount I pay monthly massively (those monthly rolling rates are cheaper than the handset-subsidised rates; plus you have a better window to threaten them with moving to the competition and grab the best bargains as and when the appear). Plus I get a handset that is (a) already unlocked (which I would otherwise have been charged £20 for if I wanted to

Re:T-Mobile Customer

[1s44c]

I'm a T-Mobile Customer. I think they did the right thing, coming forward when it was obvious they had a data breach.

Data breach? That was a few months ago when they lost their entire customer database along with credit card numbers. This time they sold their data.

T-Mobile are the worst phone network going. Their coverage sucks, their customer service sucks, they are willing to abuse their own customers to make a few quid. The only thing going for them is the price.

Re:

[Hic sunt leones]

I can't agree. The network "3" has far less coverage, and many people complain about their customer service too, prices aside.

Re:

[itsdapead]

I like T-Mobile, especially because they have great customer support.

ROTFL!

However, they were about the first UK operator to offer a flat-rate Internet deal which only cost a hand and a foot.

T-Mobile Operator

[Pessimist+Cynic]

I'm an operator for T-Mobile and I'll only confirm my involvement after all the operators say they are not the subject of the investigation.

Sold to competitors

[MorderVonAllem]

At what point do the competitors have to take responsibility for purchasing the data? It seems that they should have known the data wasn't kosher.

Re:

[Spad]

They'll have taken the standard approach of asking the brokers to verify that all the data had been collected legally (for example, by people ticking or forgetting to tick the tiny box in the middle of all the small print at the bottom of a form they filled out), the brokers would have lied - or already been "lied" to by the T-Mobile staff and everyone would have carried on as before.

I very much doubt that the ICO can or will do much to sanction the other providers.

Re:

[mpe]

At what point do the competitors have to take responsibility for purchasing the data? It seems that they should have known the data wasn't kosher.

IMHO as soon as they used the data, rather than reporting the "brokers" to the appropriate authorities.

Re:

[dontmakemethink]

Kosher or not the data is 100% reliable. If you buy answers to an exam, the seller gets caught, you can't get your money back, you're free and clear, and the exam questions haven't changed, do you not take advantage of your purchase?

Re:

[Khashishi]

You shouldn't have bought the answers to an exam in the first place.

No surprise

[roc97007]

The likelihood of valuable data being exploited is proportional to it's marketability. The more important the data, the more likely it will be stolen or otherwise exploited. It doesn't matter if it's a company, a utility or a government.

And why shouldn't they?

[Scannerman]

The entire UK (Is it any different elsewhere?) Mobile Phone industry works on ethical standard that would shame organised crime, among the many abuses I've come across :

* Deceptive tariffs, resulting in unexpectedly large bills, especially the roaming data ( I used to handle the phone admin for a medium sized company, we had a user come back from overseas trips with bills up over a thousand pounds when the free roaming data the salesman told us we'd bought turned out to have a fair use limit of 10MB...)

* The reverse billing text message scam - some of the companies operating this make tens of millions, and have been fined hundreds of thousands for repeated abuses - they are still in business.

* your bank details get passed on and you are billed for insurance you never asked for

* BUYING the stolen data

Think of these guys as a bit like Chris in the Sopranos, They got impatient and wanted a piece of the action for themselves. They may get a slap on the wrist, but the business is full of worse criminals.

Re:And why shouldn't they?

[mjwx]

The entire UK (Is it any different elsewhere?)

Well in nations that have a government willing to keep telco's in line, like in Australia.

Waiting for the inevitable extremist right wing mod down for suggesting that regulation can actually help the consumer by making sure businesses adhere to the rules.

OK, things aren't perfect here in Australia, but abuse is kept to a minimum as it only takes one phone call to the TIO (Telecommunications Industry Ombudsman) to sort things out if my telco screws me and if the TIO finds merit in my claim the Telco is ordered to pay for the TIO's investigation as well as any punishment that is handed out.

I'm with Three (Hutchinson) here in Oz and apart from the gratuitous advertising which is free (fair enough, I haven't asked them to stop yet) serivce has been adequate, all fees and charges were made known up front and were also itemised on my bill.

Re:

[dontmakemethink]

The entire UK (Is it any different elsewhere?)

Well It's different in Canada, sure things mess up now and then, but every time I've bitched at Telus, they've come through. No doubt mileage varies.

Re:

[L4t3r4lu5]

Flamebait? I guess you have to be all "There there, mommy kiss it better and you shall have a story" about this guy's idiocy.

Bottom line; He took a salesman's word for it, and didn't think to wonder why it was such a sweet deal. Free roaming data? Sure, bud, and Satan's buying mittens.

Re:

[L4t3r4lu5]

Do you have a home broadband connection? Is it marketed as "Unlimited?" Does it have a "fair use" policy involving either data caps or traffic shaping?

This guy should have known better. And good luck proving what a salesman tells you... "Yes, your honour, he said it was unlimited." "And what did the contract say?" "Oh, I don't know, I skipped to the bottom and signed, like I do with EULAs on software. Nobody reads them."

Vote with your feet

[Gandalf_the_Beardy]

I've cancelled direct debits and my contract. Vote with my feet - if they want to be fool enough to sue me for the loss of the contract then they can expect to get countersued for the cost of credit monitoring. Until people start slapping the companies hard by refusing to do business with them this will carry on the UK data protection *laws* are good, but the *penalties* are worthless as a deterrent. It seems they siphoning off millions records. They dont leave the building scribbled down on bits of paper - there is a whole question of access here and how so many people could take this much data for long undetected.

Re:Vote with your feet

[ndogg]

I've cancelled direct debits and my contract. Vote with my feet - if they want to be fool enough to sue me for the loss of the contract then they can expect to get countersued for the cost of credit monitoring. Until people start slapping the companies hard by refusing to do business with them this will carry on the UK data protection *laws* are good, but the *penalties* are worthless as a deterrent.

Whom? T-Mobile?

You must be a hit at restaurants. When the waiter gets your order wrong, I'm betting you tell everyone there to not eat at that restaurant again.

"When it became apparent that contract renewal information was being passed on to third parties without our knowledge, we alerted the Information Commissioner's Office.

It seems to me that T-Mobile did the right thing, and contacted the authorities once they figured out what was going on. You want to punish them for that?

Although, you didn't specify anyone. Perhaps you meant the companies that bought information?

Re:

[Gandalf_the_Beardy]

A waiter getting an order wrong is no big deal. It's easily corrected. Mind you if he included peanuts in the order then I'd be rightly annoyed as well. Can you tell me how I take my data back from the people it was sold to? Do you know who they are? I want to stop T-mobile from having such lax systems that someone can take millions of records out in the first place. What did they do have access to CD roms and memory sticks? Does anyone not see the problem with this? Or they dont care? Or that someone doin

Re:

[Jarjarthejedi]

ROFL. You're saying you want the customer's data, which was likely needed by the employee to do their job, to be hidden from them? Good luck with that one, what's next? Not telling waiters your order because you want to protect your personal data?

Seriously though, you have absolutely no evidence that the data was mishandled by T-Mobile, just by an employee who they are going after now. Would you blame T-Mobile if a hacker got in and stole their data? How about if it was subpoenad by the government and then

Re:

[Gandalf_the_Beardy]

Let me see - millions of records stolen. I'm sure that they didnt need access to all of them and the mechanism to stop them is not exactly difficult. Sorry you find it so. To use the waiter analogy, I dont expect them after taking my order to tell me whate veryone else has ordered now do I? As for some cracker getting in yes I would blame them. The same way I'd expect to be blamed if someone get in my systems. But then again I'm in the security and storing information securely business myself, so I have so

Re:

[fulldecent]

/me gives a hand. Stop rolling and stand up.

If it were convenient and profitable for users to sue providers for provable instances of data breach, do you think they would act differently?

Re:

[1s44c]

"When it became apparent that contract renewal information was being passed on to third parties without our knowledge, we alerted the Information Commissioner's Office.

It seems to me that T-Mobile did the right thing, and contacted the authorities once they figured out what was going on. You want to punish them for that?

That's flawed reasoning. They should be pushed for abusing their customers and breaking the law, saying sorry later doesn't cancel out their deliberate actions.

They should be punished.

[jotaeleemeese]

How is it possible for anybody to have access to all that information?

Only processes should be able to access records of people in volume, no manual query should be able to gather that information.

Re:

[InlawBiker]

How exactly do you detect employees accessing data they are being paid to access? Every company has some level of trust in its own employees. When one goes rogue there's not much to do but fire him and prosecute.

patterns

[Anonymous Coward]

Detect abuse (rising to the level of unauthorized access) of access privileges to access a handful of records? Very hard.

Detect abuse of access privileges that constitute unauthorized access to "millions of records"? Very easy. It's all about automatically flagging abnormal or unusual patterns of accesses so that they can be audited to determine if they were authorized (highly unlikely at that volume difference) or unauthorized.

But first the data/system owner has to care about unauthorized access. The Do

Re:

[mpe]

How exactly do you detect employees accessing data they are being paid to access?

The number of employees who actually have a legitimate need to access huge numbers of records/substantial portions of the database is very small. Appropriate access controls are implied by the relevent legislation.

Who is paid to access thousands of records?

[jotaeleemeese]

Sorry, but I fail to see why anybody should have access to a substantial amount of records at the same time.

This smacks to me as lack of security.

Re:Vote with your feet

[stiggle]

Contact the ICO and find out if your data was included in the sold information.
Then sue T-Mobile for not protecting your personal data.
Then after the court cases, sue the T-Mobile staff who stole the data, the brokers who sold the data, and the other network operators who bought the data.

T-Mobile customers could if they play this right make a tidy sum of money from sueing the people involved. Remember to get in early before the other customers and ex-customers clean up.

Of course the real way to handle this is to put a price (say, minimum annual contract price x number of customers) and then use **AA accounting methods and sue those involved for copyright infringement of the data :-)
 

Re:

[Gandalf_the_Beardy]

Sadly they don't know - the people in question hardly kept accurate records, and Tmobile obviously ener audited their systems correctly. Beside I don't want to sue them. I cannot easily quantify the monetary loss, and I dont want to substitute my time for money, which is ultmatley what it's about. The ICO and DPP are the people to go after them to stop them in future. You could say that keeping my acocunt with them is the safest of all since they will be uber hot on being secure now, but I dont like to re

I wonder what celebrities do...

[ifwm]

This makes me wonder what an individual who would really like their info to remain private can do to keep it so.

Celebrities, politicians, all their info is potentially for sale, and all it takes is one greedy employee with some debt...

Re:

[zoloto]

That's why you buy a service in an alias. It's not that hard.

Re:I wonder what celebrities do...

[rapiddescent]

Interestingly, some of the UK mobile operators have bankers licences and are therefore governed by the FSA (financial services authority). The FSA defines a PEP marker (Politically Exposed Person [wikipedia.org]) on records and these typically have greater sensitivity than the rest and each access is audited. Anyone who thinks they are 'famous' can become a PEP on request - politicians, david beckham's, recognised government officials, company execs are using this device more and more.

Whilst it might seem like a good idea to register yourself as a PEP (e.g. I'm famous on slashdot), it can be a pain in the arse because some banks etc will not send out new credit cards directly to a PEP.

Using alias's is illegal if done incorrectly. Using an alias as a "stage name" is OK for celebs, but not so great for politicians. Also, it's not a great idea to buy a phone contract with an (!deedpoll) alias.

Not exclusive to T Mobile

[onetwofour]

I wish this problem was exclusive to T Mobile, I really do. The sad thing is that I've been on two different networks and somehow firms seem to get hold of my mobile number and start calling me offering me an upgrade. The most accurate firm was one who had my full Orange account details, so why wouldn't you trust a firm who knows where you live? When I reported this to Orange they acted surprised but did absolutely nothing about it, probably because data is flowing far too freely around their organisation. My current provider isn't immune either, around 12 months on my previous contract with O2 I had multiple companies each trying to sell me a new contract. They claim it's just on an autodialer of numbers to call and have no personal information about me. However the fact that someone knows I'm on O2 means enough personal data is leaking.

Re:

[oPless]

Can somebody say "Data protection act" ?

Re:Not exclusive to T Mobile

[Ortega-Starfire]

If you read the article, someone has.

I know, I just come here for the stellar conversations.

Re:Not exclusive to T Mobile

[petejk2]

High street retailer is assigned numbers to connect in sequential order in lists hundreds at a time: e.g 07738 400500 to 07738 400900 Joe public walks in and buys a handset on contract with a new number 12/18 months later gets a call from a company to sell him a new deal. Asks why? All that company has done is sent someone into said high street retailer, asked to see the phone numbers list on screen and pick one out That person know that in a 12/18 months time he can plug that number range into his dialer with a high probability that his company will be able to do some business! Leakage of personal data? No. Laughably simple scam? Yes

Re:Not exclusive to T Mobile

[RMH101]

Yep, it's really common in the UK. The sleazier operators will phone up and say they're from "your phone company", give the impression that they're your current supplier offering you a free upgrade. If you're Joe Sixpack it can be pretty easy to get scammed this way

Re:

[fulldecent]

You can easily find the provider for a given number. Here is an example that works in the US.

http://privacylog.blogspot.com/2009/01/security-hole-in-sms-spam-websites.html [blogspot.com]

That website also allows you to charge arbitrary amounts of money to arbitrary phone numbers using SMS spam signup.

Old news?

[DaRanged]

I was a T-Mobile customer for something like 7 years (started of as One2One customer) and that was over 5 years ago, but that doesn't stop some complete dipstick from some dipstick company calling me every year around September asking me if I would like to upgrade my T-Mobile contract!

Yeap, it's not T-Mobile calling me, but whoever it was they sold all my details to (including tarrif and expiry details) back then is STILL using/forwarding/selling it on and on! Every year the company name is different, but

Taking measures

[UnixUnix]

I provide a slightly different version of my personal data each and every time I need to give them out. Thus if they are leaked/sold/whatever I know who did it, and possibly whom to blame/drop/sue. [Actually, I'm a T-Mobile customer and I haven't had problems. Then again, I don't live in the UK :) ]

Who bought the stolen records?

[mwvdlee]

"Workers at T-Mobile UK have been selling customer data to brokers who worked for the competition [...] The BBC reports that after the other mobile operators said they were not the subject of the investigation, T-Mobile confirmed its involvement."

So.. who actually bought the stolen records if T-mobile employees sold them to other operators but no other operators were involved?

Re:Who bought the stolen records?

[itsdapead]

So.. who actually bought the stolen records if T-mobile employees sold them to other operators but no other operators were involved?

Ans: Third party phone retailers (or, at least, their employees). Not the sort that sell SIM-free phones, the sort that act as agents for the networks and mostly sell phones on contract.

At least, that's who I was getting cold-called by when my T-Mobile contract ran out. Of course, they did their best to use weasel words to imply that they were calling from T-Mobile without actually saying so.

I assume that the game was to try and get you to sign a new T-Mobile contract with them as agent, so they would get the commission.

It's not just TMobile.

[CountBrass]

I have my 'phone with 02 and I've been getting these cold calls as well.

good

[DaveGod]

Oh goody, my contract is up and it's another reason to want to move elsewhere.

I'm optimistic of being on a really good deal soon. With T-Mobile.

(I'm not even vaguely surprised at this kind of thing any more from any company, their being caught merely represents an opportunity for me to make use of it).