T-Mobile Confirms Data Breach

Over the past weekend, an anonymous poster left a detailed message on the Full Disclosure mailing list, claiming to have penetrated T-Mobile and gained access to sensitive documents. Today, T-Mobile confirmed the breach, stating that customers "can be assured if there is any evidence that customer information has been compromised, we would inform those affected as quickly as possible."

Don't breathe a sigh of relief just yet.

Laws require notification when customer or employee data is compromised. These are good laws, but do have an unwelcome side effect. As a result of the laws, when breaches do occur, the impacted companies focus almost exclusively on the question of whether customer data was compromised. And as a result of that focus, we've developed an almost Pavlovian response to breach disclosures, assuming that the biggest risk is to customer data and focusing our own attention solely on that question.

In reality, there are far more pressing questions to be answered than the potential compromise of customer accounts. If I were a T-Mobile customer (or a T-Mobile investor) here are the questions I'd defintely be asking:

Were rootkit-enabled backdoors installed that can lead to ongoing intrusions? If attackers were able to gain access repeatedly in the past, it seems likely they have left behind a means to gain access in the future. Have these holes been discovered and closed?

Were future hardware product plans compromised? If so, this could lead to counterfeiting and lost revenues.

Were services or software compromised? If so, this could lead to DNS poisoning, traffic tampering, and/or delivery of malware to current and future users of those services and software.

Unfortunately though, because laws require only notification to the extent that customer data was exposed, these are questions to which we may never get answers. But at the very least, they are questions that should be asked.