T-Mobile coughs to data theft
But can't understand all the fuss
T-Mobile has admitted it was the operator whose staff sold customer data to competitors, but can't understand why the Information Commissioner decided to share the information.
Staff at the network operator had developed a sideline selling customer records to brokers who then called up the customers to offer alternative contracts.
T-Mobile had been told not to mention the case to anyone as there were prosecutions pending, so the operator was pretty surprised when the Information Commissioner decided to spill the beans yesterday to help his political case for harsher sentences for data breaches.
The Information Commissioner's Office (ICO) is trying to whip up support for custodial sentences for those convicted of stealing data, but public sympathy for celebrities who had their phone records stolen is minimal. The T-Mobile case, on the other hand, demonstrates why normal people should care too, which is why the details came out in the Commissioner's response to the Government consultation about the introduction of prison sentences.
T-Mobile seemingly couldn't have handled the case better. The operator received complaints that customers were getting curiously well-informed cold calls, so T-Mobile investigated - as operators are surprisingly willing to do. It took its evidence to the ICO, who investigated further and told the operator to say nothing to anybody until the case was complete.
But that restriction didn't apply to the ICO, who published the details to support its argument. The ICO didn't name the operator, but it didn't take long to get denials out of all the other operators, forcing T-Mobile to admit it was them, despite promising the ICO they wouldn't say anything.
As for the data stolen, it mainly consisted of customer details and contract end dates - annoying to have public but not exactly state secrets. Customer details are in the phone book, and most people will tell you their contract renewal date if you call them up and ask (as cold callers are wont to do).
Whether one approves of custodial sentences for nicking data, or not, it's clear that the ICO has manipulated this case into a cause celebre with impact far beyond its real importance. ®
It's a major concern in the industry.
My company has been approached by networks in the past about this problem – it's a major concern in the industry.
There are a range of tactics used to get customer data about the networks people use, their specific accounts and even if they have insurance for their phone. Companies then use this information to contact a customer, offer them a better deal and steal their business – it’s commercial espionage and theft of data on a massive scale. It also undermines networks providing good services to their customers.
The risk is often the ‘trusted insider’ who goes bad – and technical security procedures and policies alone won't prevent it. Networks need to diagnose the problem up-stream, getting to grips with their customer data and monitoring how it (and hence the customer base) behaves as a whole over time. It’s important to understand the big picture in terms of your customers' behaviour – the problem with mobile phone networks is that they have hundreds of thousands of customers. Can you imagine a smaller business failing to know its clients, unconcerned about whether they retain them and not watching for signs of competitors stealing them away?
By continuously auditing, monitoring, assessing and diagnosing their client base it's possible to see problems as – or even before – they occur. If the technology notices that a particular pattern of standard behaviour starts to become erratic or considerably changes, something might be afoot. We specialise in this kind of monitoring, letting networks know the state of health of their client base and helping to control the conditions that retain customers and protect them from fraudsters.
Another tactic used by unscrupulous companies is to use ‘Autodialler’ machines, which randomly dial phone numbers using smart calculators. They already know the type of number generally owned by each network, then callers use social engineering techniques to find out more about the customer's account and offer what appears to be a better deal and also win the insurance business for the phone. Together this can be very lucrative.
The difference between an Autodialler and a data thief is that the Autodialler doesn’t need to enter the company database. Some may say this is fair game but that couldn’t be further from the truth – left unchecked this situation can develop into a continuous ‘churning’ of customers, driving prices even lower so service suffers, customers suffer and the businesses involved become difficult to control and manage. It undermines the economic basis for developing good standards by service providers; if the problem grows then the temptation for everyone to do it is overwhelming. We should remember that these businesses employ people, provide taxes for the economy and develop new technologies we can sell internationally. It is not in anyone’s long term interests to engage in this. In the short term the ‘sharks’ using Autodiallers make vast amounts of money but inevitably someone will try it on their service provider as well. And, so the story goes on....
Richard Leary - Forensic Pathways
Data Breaches Happen Far Too Often
Companies need to have a strong access management strategy in place to protect all critical applications and data – especially customer databases – and further need to ensure that the access strategy and corporate policies are being adhered to across the business. Insider data breaches like these rear their ugly heads far too often, and it’s important for enterprises to ensure that they aren’t simply trusting their employees to do the right thing, but also utilising automated preventative and detective controls to keep everyone honest.
Stuart Hodkinson, General Manager, Courion
re: Cost on Contract by Vishal Vashisht
The DPA permits victims of breaches to take the offending company to court and litigate for damages providing damage can be shown. Damage does not have to be monetry it can also be psychological - so it is arguable that receiving calls several times a day can cause undue stress, but there would probably need to be logs of calls.
Let me further add that I am incredibly disappointed with the tone of this article and as someone who spends the vast majority of his time defending consumers privacy rights I am incredibly disappointed with Bill's reporting on this issue.
The misuse of personal data in the UK is a very significant problem that causes 100s of thousands of people a great deal of stress on a daily basis - for example, just yesterday we received a scam call at 5am in the morning and I know we are not alone with this problem. But more importantly our personal data is protected under law - and with the Lisbon Treaty going through Data Privacy will soon be a fundamental right on par with the European Convention on Human Rights and for good reasons which should be common sense for anyone who has been following the privacy debate over the past 20+ years.
Also, the media, ICO and T-Mobile are using their staff as a scapegoat. We need to remember that actually under the Data Protection Act it is the duty of the Data Controller to ensure that sufficient safeguards and security are in place to prevent the misuse of personal data within the organisation - a point which has clearly been missed in all the reporting on this issue so far. T-Mobile obviously did not have sufficient safeguards in place otherwise this breach would not have happened in the first place - and under the DPA it is ultimately the company and the data controller who are liable - not the staff. T-Mobile are reported as saying they take Data Security very seriously - well obviously not seriously enough!
Furthermore, this practise of selling personal data to data brokers is systemic to the entire commercial arena (not just telecoms) and I find it astonishing that ICO seem to only just be recognising that - this breach came as a surprise to no-one who has even the slightest interest in consumer rights.
Should there be custodial sentences and larger fines (1 million Euros are already being discussed within Europe and £500 000 was recently discussed in the UK) damn right there should be. We live in one of the least privacy conscious countries in the entire world and pretty much top the surveillance league table of all developed western states and rank in the top 5 on a global scale. It is about time our fundamental rights to privacy were upheld and without substantial penalties to do that there is no deterrant.
For years we have been complaining that ICO have no enforcement powers so I am dismayed to see anyone criticize ICO for using whatever weapon they have in their arsenal to increase their enforcement powers. Last week I spoke at the BEUC Forums 2009 conference in Brussels - the focus of the event was Consumer Privacy and Behavioural Advertising and the resounding message which came out of the event was an utter lack of enforcement despite there being reasonably strong legislation throughout Europe to protect the privacy rights of the citizen.
Everyone should be aware that the Telecoms Reform Package (which is about to go through Europe) makes the reporting of data breaches compulsory for the telecoms industry - so in future don't be surprised to see more of this type of news hitting the press.
To sum up, ultimately it is T-Mobile whom are both responsible and liable for this breach and yes consumers do have an option to seek remedy throgh the courts and I would seriously suggest that if they have evidence of damage that they take the steps outlined in the DPA to take T-Mobile to court - if for no other reason than to send a clear message to the sector as a whole that these breaches are unacceptable and will carry consequences.
This is a personal statement by me and whereas it probably matches the opinions of my colleagues it is not an official statement on behalf of Privacy International.