Feeds

T-Mobile hacker pleads guilty

Unusual secrecy

  • alert
  • submit to reddit

Top 5 reasons to deploy VMware with Tegile

A sophisticated computer hacker who penetrated servers at wireless giant T-Mobile pleaded guilty Tuesday to a single felony charge of intentionally accessing a protected computer and recklessly causing damage.

Nicolas Jacobsen, 22, entered the guilty plea as part of a sealed plea agreement with the government, says prosecutor Wesley Hsu, who declined to provide details. The prosecution, first reported by SecurityFocus last month, has been handled with unusual secrecy from the start, and a source close to the case said in January that the government was courting Jacobsen as a potential undercover informant.

Before his arrest last October, Jacobsen used his access to a T-Mobile database to obtain customer passwords and Social Security numbers, and to monitor a US Secret Service cyber crime agent's email, according to government court filings in the case. Sources say the hacker was also able to download candid photos taken by Sidekick users, including Hollywood celebrities, which were shared within the hacking community.

According to a Secret Service affidavit filed in the case, Jacobsen came to the agency's attention in March of last year when he offered to provide T-Mobile customers' personal information to identity thieves through an Internet bulletin board. Jacobsen had access to some customers' Social Security numbers and dates of birth, voicemail PINs, and the passwords providing users with web access to their T-Mobile email accounts. He did not have access to credit card numbers. The company, based in Bellevue, Washington, boasts 16.3 million U.S. customers.

T-Mobile says it has notified 400 customers whose data was accessed, but the company leaves open the possibility that it may identify and warn more victims as the case progresses. "I can confirm that based on the information that we have to date, we have notified all the customers that we are aware of," said spokesman Peter Dobrow said Wednesday. "It's still under investigation."

Court records suggest the hacker was in T-Mobile's systems for at least a year, ending with his arrest in October 2004. But the company claimed Wednesday that Jacobsen's access was not continuous throughout that period: at some point they detected him and locked him out, but the hacker was apparently able to break back in. "There were two instances that we were able to identify as having Jacobson's fingerprints on them," said Dobrow. "There were two periods of time, beginning in October 2003."

Jacobsen was arrested after a Secret Service informant helped investigators link him to sensitive agency documents that were circulating in underground IRC chat rooms. The files were traced to Peter Cavicchia, a Secret Service cyber crime agent in New York who received documents and logged in to a Secret Service computer over his T-Mobile Sidekick - an all-in-one cellphone, camera, digital organizer and email terminal. The Sidekick uses T-Mobile servers for email and file storage.

A source close to the case said last month that Jacobsen also amused himself and others by obtaining the passwords of Sidekick-toting celebrities from the hacked database, then entering their accounts and downloading photos they'd taken with the wireless communicator's built-in camera.

A friend of Jacobsen's in the hacker community, William Genovese, confirmed that account, and said Jacobsen gave him copies of digital photos that celebrities had snapped with their cell phone cameras. Last month Genovese provided SecurityFocus with an address on his website featuring what appears to be grainy candid shots of Demi Moore, Ashton Kutcher, Nicole Richie, and Paris Hilton. He said Wednesday that he's since removed the photos at Jacobsen's request.

T-Mobile declined to discuss specific victims. Reached by phone, Hilton's manager said the company has not notified Hilton of a breach.

Now free on bail and living in Oregon, Jacobsen faces a maximum possible sentence of five years imprisonment. Sentencing is set for 16 May.

Copyright © 2005, SecurityFocus logo

Related stories

Hacker breaches T-Mobile systems, reads US Secret Service email
Fraudsters expose 100,000 across US
Hackers at mercy of US judges
Michigan Wi-Fi hacker jailed for nine years
'Deceptive Duo' hacker charged

Secure remote control for conventional and virtual desktops

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.