After an unknown individual publicly posted what they claimed were sensitive records belonging to telecom provider T-Mobile, the company confirmed that the data had been purloined, but aggressively denied any claim that it had been hacked.
The alleged culprit posted records to Full Disclosure, a mailing list for security professionals, on June 6. "We have everything, their databases, confidental documents, scripts and programs from their servers, financial documents up to 2009." The post was accompanied with a list of records.
"We already contacted with their competitors and they didn't show interest in buying their data -probably because the mails got to the wrong people- so now we are offering them for the highest bidder," the author added.
T-Mobile issued several statements after the breach, all of which downplayed the alleged hack as not threatening to customers' information. On Tuesday, they said "[t]he company is conducting a thorough investigation and at this time has found no evidence that customer information, or other company information, has been compromised. Reports to the contrary are inaccurate and should be corrected."
T-Mobile has also zealously demanded that news outlets covering the breach remove reference to hacking, but representatives would not explain how the records were obtained, citing the ongoing investigation.
The company also would not disclose what the mysterious records were, though some theorize the information relates to internal audits. Brian Krebs, author of the Washington Post's "Security Fix" blog, warned against taking anything said on the "Full Disclosure" list as truth without more verification.
"The Full Disclosure mailing list often contains some real gems of timely information, but the list also is known to have a rather low signal-to-noise ratio," Krebs said.
The economic stimulus package contained provisions updating federal data breach law to mandate disclosure to law enforcement and the public — but not at the same time — if the breach was of significant size, and the data was unprotected. Under the law, T-Mobile would have to notify their customers of a breach, but not until after law enforcement is notified and investigates.
