wiredog August 27, 2021 8:50 AM

After this one, realizing that nothing could have been revealed about me that wasn’t already out there, I bought a couple of YubiKeys and had my credit frozen. Going to set up all my accounts that can work with the YubiKeys to do so this weekend.

Ex T-Moron August 27, 2021 9:22 AM

I worked for T-Mo for a bit. When I went for my interview, they asked me to do some work on one of the live, production Oracle databases. It had all customer data (including SSNs, unencrypted credit card details, plus other stuff too) in it.

When I got the job, it was still the same. And access controls for the database were lax, at best…

echo August 27, 2021 10:27 AM

America needs to get over it’s thing about uniltarerialism and bring UN human rights obligations into law at a constititional level like Europe. The European Convention is the mechanism which all EU member states must sign up to and it puts a stop to a lot of the problems I keep hearing Amerians have. Even the Russians are signed up to the Convention!

Before anyone begins blowing snot bubbles it was pretty much the allied forces post-WWII (mostly the British) who wrote the thing! The UK’s Data Protection Act and later EU GDPR (which also applies in post-Brexit UK) is pretty much derived from the Convention. Any software developer or engineer or lawyer or other professional knows that standards matter. Yes more than a few people are going to have to pull their socks up and no this isn’t cost free but that’s life. The most of not doing things right means all the wrong thoughts and behaviours and people and organisations are rewarded and we cannot have that can we?

I’d also put your senior judges and legal scholars feet to the fire because they’re the ones being intransigent about it.

Attention follows focus. The result then tends to build itself.

mexaly August 27, 2021 12:09 PM

@wiredog, indeed, everyone should just assume our pii is for sale.
Heck, China has had my SF86 for, what, almost 10 years now? Not just my pii, but my family’s, too.

Clive Robinson August 27, 2021 12:19 PM

@ Bruce, ALL,

I’ve lost count of how many times T-Mobile has been hacked.

I would say that it has happened so often that it can only be due to “policy” from the most senior levels down throughout the managment of the organization.

So much so that it is “endemic” attitude / cultural belief within those people on the “birds of a feather…” notion.

Which should raise a question in more normal peoples heads of,

If you are an employee of an organisation with such endemic policy, what does it say about not just you, but any organisation that then knowingly employes you?

With the likes of Linked-in it now becomes possible to find where emoloyees of these realy bad organisations go to, which would give other people due warning about these other organisations hiring policies etc.

In fact it would enable researchers to produce several “tree diagrams” that when put together would in effect build a web of “reputational trust”.

Thus with a “reputational trust” web people could chose who to place their business with. Much like used to happen a century or more ago when “small town talk” kept people in line.

Neill August 27, 2021 1:30 PM

walk into a TMO store or call in and see how quick they get access to your account data.

multiply those precious few seconds by a few million customer interactions per month, and you see they save millions of $ each month by speeding up data access …

Frank Wilhoit August 27, 2021 2:56 PM


These reflections are bitter and overgeneralized, even by your expansive standards.

People don’t choose where to work. They count themselves lucky to find any job at all. Organizational culture may rub off on them to some small degree, but the fact is that the experience of any employee of a large firm is dominated by friction, sabotage, and play-acting. No signal can cut through that amount of noise.

The notion of “being kept in line” is a shocking piece of infantile sadism. The de facto organizational culture of this forum has been spiralling down into paranoia. For a long time you stood above that. Is it now beginning to rub off on you? Do you want that to become part of your “reputation”, and to follow you to other places?

echo August 27, 2021 4:00 PM

@Frank Wilhoit

There are academic papers on conformity and own group bias and discrimination. In fact there are entire books devoted to corporate culture. Many consultants get paid serious fees for advising on these matters. I don’t know about the US but there are people in the UK who are compliance auditors.

I have a few items stacked up for the Squid topic. One of them touches on topical governance issues and is not unrelated to this area and is written by an academic studying at Harvard.

I prefer to think people are adjusting to new topics or ways of looking at problems. As for “the culture of this forum spiralling down into paranoia” I’ve provided enough citations from impeachable sources on my own. I’ve also made more than one statement which was ahead of media reports on policy action (i.e tackling Russia on matters of law and the Metropolitan police pulling their socks up over sex discrimination issues related to trafficking).

Clive Robinson August 27, 2021 4:41 PM

@ Frank Wilhoit, ALL,

These reflections are bitter and overgeneralized, even by your expansive standards.

Wrong “E” word, try “experienced” instead.

And whilst my words may sound “bitter and overgeneralized” they are unfortunately “realistic” based on what we currentlt know.

Call it the “flip side of the coin”, we know what “others” are doing with our PII right now, peoples future careers are already being decided on what they and others posted on “social media” more than a decade ago at least.

We know there are “agencies” that specialise in online “reputational managment”.

We also know it is an expanding market to take people for as much money as they will part with.

We also know the market has the “fun side” that as a data agent you can play both sides quite profitably at the same time.

Knowing this, what do you realy think is going to happen?

That is what is “Societies Self Defence Reaction” going to be?

Think the alternatives through, decide which is the least harmful that also has a realistic chance of happening bearing in mind what we know is currently going on?

What you will probably come up wirh is a “reputation system” based on “social media”… Because it’s already happening, not just by the likes of the Chinese and other Governments, national security services, immigration officers, law enforcment, employment personnel/employers, credit agencies, and just about anyone else with money to buy the data. To think it’s not going to carry on would be “head in the sand, bum in the air” posturing of the sort we attribute to “bird brains”. Be they with feathers of the Struthioniform genus or those who want to pretend the world is full of ponies with horns on their snouts and rainbow hair sticking out the back ends, ridden by fair maids and such like.

So the question then becomes, knowing this is going on, on one side of the societal divide and it’s going to get worse, how long before the other side of the societal divide does it in “self defence” or “retaliation”?

The genie is out the bottle already, something tells me that it’s not going to go back in. Thus you have to “think it through, and act appropriately”.

Linked in is a “data resource” and,

1, They have done some very scummy things in the past.
2, So peoples data is out there available already.
3, People will monetize it one way or another.

There is no way to win at this game, so you can only play “not to lose” and hope you get a draw. However one way to do that is by not playing at all… I do not do social media and I will never be doing the likes of linked-in, I’m lucky I’ve a choice of not playing.

But is your assertion of,

People don’t choose where to work. They count themselves lucky to find any job at all.

Actually true?

As for,

The de facto organizational culture of this forum has been spiralling down into paranoia. For a long time you stood above that.

No I “stood clear” or “to one side” not “above”, I gave general information and asked people to “think it through”. I’ve even given people warnings that these sorts of systems were on their way over the past few decades. Well they are here now on one side of the fence. Human nature tells you what is going to happen on the other side of the fence.

We’ve seen the “it can not be true” response behaviour before, the classic being prior to Ed Snowdon. There were people on this blog telling others that it was not just technically possible but that it was happening. I remember the “it can not be true” arguments including those denialists accusing people of “paranoia”… Well we now know they were not paranoid.

So I ask you to think… Test your assumptions that makes you say “paranoia”… Do your assumptions have a factual basis? Can they be verified?

My thinking, tells me such reputational systems will be the least harmful response society can make. Heck we have politicians tub thumping for a lot worse in Australia, UK, and US currently. Frequently pushed by the likes of Law Enforcment Agencies and lobbyists for Corporations who see lots of potential in all that data.

When you have UK politicians making claims of 11 billion in such data, you know where it is going to go, or atleast you should do.

But for everyone else, my prediction is, if you put your PII in public by putting it on any social media or recruitment or any other site, even through many Email systems it will be scraped, aggregated and stored for future profit one way or another, and you will not see the benifit of it.

SpaceLifeForm August 28, 2021 2:11 AM

T-Mobile confirms Mandiant was brought in.

As to the other angle, it may not really help at this point in time.


Clive Robinson August 28, 2021 4:09 AM

@ SpaceLifeForm,

T-Mobile confirms Mandiant was brought in.

After the hoofbeats had faded long into the distance…

On trying to load the page you link to, it comes up with “javascript” Off, however with javascript On the page text briefly flashes up then gets replaced by a “page not found” message.

Which is curious behaviour…

@ ALL,

Anyway if you do get the page up, it does make interesting reading.

Such as,

“On August 17th we confirmed that T-Mobile’s systems were subject to a criminal cyberattack that compromised data of millions of our customers, former customers, and prospective customers. Fortunately, the breach did not expose any customer financial information, credit card information, debit or other payment information but, like so many breaches before, some SSN, name, address, date of birth and driver’s license/ID information was compromised.

Now the question is how should “like so many breaches before” be read,

1, Applying only to T-Mobile?
2, Applying to Mobile service providers?
3, Applying to the telecommunications service sector?
4, Applying to ICT sector in general?

But I would point out not only is the paragraph it is in is specific to T-Mobile, the sentance it is in starts as specific to T-Mobile so logically option 1 is the one most would think applies….

Anyway votes on a post card 😉

But it gets better… In a paragraph about notifying people who have had their details stolen we find this curiosity,

“We are also now working diligently to notify former and prospective customers.”

Are they saying they have details of people that are not, nor ever have been T-Mobile customers that have been compromised as well?

Before dismissing the idea, remember that in the UK there was a case where the database of customers approaching end of contract with one mobile supplier, ended up in the possession of another compeating mobile phone supplier, and due to unlawful behaviour details became disclosed.

So it might not be “Industry best practice” but there is a “history” of major players having extensive details of people that they have no contractural relationship with being held as shall we be nice and say “leads” even though they might have been unlawfully possibly illegally obtained.

But on the technical side of the attack we only get the following,

“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.”

Getting in via “testing” is one of the oldest successful attack routes known, it’s decades old, and it keeps happening. Proving yet again that ICTsec does not learn from it’s history.

In the US perhaps the incident of “testing” being used to attack mobile phone users was that around CarrierIQ.

But if you want to go back even further, how about the one example most hear about in name but never get to know the actual details. The infamous “Prince Phillip Hacked” incident in the UK that happened back in the early days of “home computing” before the Internet was available and BT as we now call it was pushing an on-line service called Prestel, and the UK’s “mad” Maggie Thatcher was trying to sell off what became the “Big Seven Incher” to put money in her “war fund” via the UK Treasury. Which led to a very strange series of events that few are still alive to talk about from first hand experience, as it started back in 1984 as I’ve mentioned before with the “testing” of “bulk update Software” for home computers as the IBM PC was not yet an item you would find in either a home or office, the top of the line in that respect being the Apple ][.

Basically those at Prestel were getting teenagers and school kids to write sodtware to push Prestel, and gave near “open access” via a dial up system we called “Pandora” that although not officially a “live service” actually had been made by taking a backup tape of a “live service” system and loading it onto Pandora. Unfortunately the system was designed with a “plaintext” password file…

supersaurus August 29, 2021 5:15 PM

to change people’s behavior change their incentives. suppose the CEO went to jail, what would other CEOs do? keep on keepin’ on? I doubt it.

Andy August 30, 2021 12:36 AM

@supersaurus. What do we do for the federal OPM hack? Do we send the president, a cabinet level secretary, some under-secretary or fall back on some engineer? Maybe if you make them liable the shareholders can have a clawback on Executive Team’s golden parachute

Weather August 30, 2021 1:05 AM

Simple if you are a level one company you have to pay for a level one security section, if level two….
You don’t need much in way of certified security section, word of mouth sorts that out, if your a prefer contractor.
That scam txt I said before, they had my first name, maybe data breach can have effects at lower layers.

ishomi August 30, 2021 1:26 PM

Thanks for the info.

My annoying and clumsy (yet sometimes loveable) father, now deceased, was a devoted T-Mobile customer.

It just so happens that his customer activity with them peaked during the same period of time as what seemed, back then, to have been his biggest incident of identity theft. He was a victim.

Because of witnessing his clumsiness on the phone with T-Mobile, and with his other personal info management, I made it a point to avoid doing business with most of the same businesses and organizations that he was involved with, even after he died.

That includes some specific credit card com(p)a(ny).

SpaceLifeForm September 1, 2021 6:33 PM

I suspect they have had an insider problem starting ten years ago.


[check the timestamps on pic]

[He has more info. In fact he deleted a tweet from yesterday that had very interesting info. I’m not going to mention names, but will just note that users working at large orgs were probably being spied upon if they used T-mobile. Never use work e-mail address for non work related purposes]

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.