T-Mobile customers' personal data sold to rivals

by Graham Cluley on November 17, 2009 | Comments Off

Filed Under: Data loss, Law & order, Mobile, Video

Woman with mobile phone
The story dominating the British news this evening is the revelation that staff at one of the leading mobile phone company's sold the personal details of thousands of customers for "substantial sums".

Information Commissioner Christopher Graham refused to name the company concerned as it could prejudice a future prosecution, but told the media that the names, addresses, telephone numbers and information about customers' contracts was stolen and sold on to other competitors.

You can imagine just how attractive it would be for one mobile phone company to know when another phone operator's customers were approaching contract renewal.

Newshounds, ever keen to find out who might have been at the heart of the incident, approached Orange, Vodafone, 3, O2 and Virgin - all of whom said they were not being investigated. This left remaining operator T-Mobile in the uncomfortable position of confirming its involvement.

BBC News reports that a T-Mobile spokesman confirmed that it was their customers whose data had been sold to rival phone firms and that the information had been sold without their knowledge.

One of the central problems here is that many companies are not doing enough to secure the data they hold about every one of us. The cheapness and availability of devices like USB thumb drives has just made it easier than ever before to scoop up large databases and waltz out of the office without any suspecting a thing.

Technology does exist to help intercept and control the movement of personal data inside organisations - but many firms have still not taken even the most basic steps to halt it dead in its tracks.

I'm not saying that technology can help prevent any data leaks inside your company - after all, a bad guy in your call centre could write down customer details on paper and put them in his back pocket - but it's only sensible today to take all the precautions you can, and reduce the risk.

Certainly the authorities seem interested in doing what they can to fight this growing problem. For instance, Christopher Graham of the Information Commissioner's Office has questioned whether the current fines of £5,000 are really a sufficient deterrent for this kind of crime. In his opinion, the most serious offenders should face a spell in prison for deliberate data theft.

And I have to say that I agree with him - £5,000 is peanuts compared to the huge amount of money that can be earnt by stealing personal data from inside a large corporation.

One big question still remains, however. We know that it was T-Mobile who had the data stolen from them - but who was buying it?

Tags: , ,

About the author

Graham Cluley is senior technology consultant at Sophos. The readers of Computer Weekly voted him security blogger of the year in 2009 and 2010, and he pipped Stephen Fry to the title of "Twitter user of the year" too. Which was nice. He was also named "Best Security Blogger" by the readers of SC Magazine in 2011. You can subscribe to Graham's updates on Facebook, follow him on Twitter and circle him on Google Plus for regular updates.