Feeds

T-Mobile hacker pleads guilty

Unusual secrecy

  • alert
  • submit to reddit

Security for virtualized datacentres

A sophisticated computer hacker who penetrated servers at wireless giant T-Mobile pleaded guilty Tuesday to a single felony charge of intentionally accessing a protected computer and recklessly causing damage.

Nicolas Jacobsen, 22, entered the guilty plea as part of a sealed plea agreement with the government, says prosecutor Wesley Hsu, who declined to provide details. The prosecution, first reported by SecurityFocus last month, has been handled with unusual secrecy from the start, and a source close to the case said in January that the government was courting Jacobsen as a potential undercover informant.

Before his arrest last October, Jacobsen used his access to a T-Mobile database to obtain customer passwords and Social Security numbers, and to monitor a US Secret Service cyber crime agent's email, according to government court filings in the case. Sources say the hacker was also able to download candid photos taken by Sidekick users, including Hollywood celebrities, which were shared within the hacking community.

According to a Secret Service affidavit filed in the case, Jacobsen came to the agency's attention in March of last year when he offered to provide T-Mobile customers' personal information to identity thieves through an Internet bulletin board. Jacobsen had access to some customers' Social Security numbers and dates of birth, voicemail PINs, and the passwords providing users with web access to their T-Mobile email accounts. He did not have access to credit card numbers. The company, based in Bellevue, Washington, boasts 16.3 million U.S. customers.

T-Mobile says it has notified 400 customers whose data was accessed, but the company leaves open the possibility that it may identify and warn more victims as the case progresses. "I can confirm that based on the information that we have to date, we have notified all the customers that we are aware of," said spokesman Peter Dobrow said Wednesday. "It's still under investigation."

Court records suggest the hacker was in T-Mobile's systems for at least a year, ending with his arrest in October 2004. But the company claimed Wednesday that Jacobsen's access was not continuous throughout that period: at some point they detected him and locked him out, but the hacker was apparently able to break back in. "There were two instances that we were able to identify as having Jacobson's fingerprints on them," said Dobrow. "There were two periods of time, beginning in October 2003."

Jacobsen was arrested after a Secret Service informant helped investigators link him to sensitive agency documents that were circulating in underground IRC chat rooms. The files were traced to Peter Cavicchia, a Secret Service cyber crime agent in New York who received documents and logged in to a Secret Service computer over his T-Mobile Sidekick - an all-in-one cellphone, camera, digital organizer and email terminal. The Sidekick uses T-Mobile servers for email and file storage.

A source close to the case said last month that Jacobsen also amused himself and others by obtaining the passwords of Sidekick-toting celebrities from the hacked database, then entering their accounts and downloading photos they'd taken with the wireless communicator's built-in camera.

A friend of Jacobsen's in the hacker community, William Genovese, confirmed that account, and said Jacobsen gave him copies of digital photos that celebrities had snapped with their cell phone cameras. Last month Genovese provided SecurityFocus with an address on his website featuring what appears to be grainy candid shots of Demi Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton. He said Wednesday that he's since removed the photos at Jacobsen's request.

T-Mobile declined to discuss specific victims. Reached by phone, Hilton's manager said the company has not notified Hilton of a breach.

Now free on bail and living in Oregon, Jacobsen faces a maximum possible sentence of five years imprisonment. Sentencing is set for 16 May.

Copyright © 2005, SecurityFocus logo

Related stories

Hacker breaches T-Mobile systems, reads US Secret Service email
Fraudsters expose 100,000 across US
Hackers at mercy of US judges
Michigan Wi-Fi hacker jailed for nine years
'Deceptive Duo' hacker charged

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.