T-Mobile customers’ personal data sold to rivals

Graham Cluley
Graham Cluley
@[email protected]

Woman with mobile phone
The story dominating the British news this evening is the revelation that staff at one of the leading mobile phone company’s sold the personal details of thousands of customers for “substantial sums”.

Information Commissioner Christopher Graham refused to name the company concerned as it could prejudice a future prosecution, but told the media that the names, addresses, telephone numbers and information about customers’ contracts was stolen and sold on to other competitors.

You can imagine just how attractive it would be for one mobile phone company to know when another phone operator’s customers were approaching contract renewal.

Newshounds, ever keen to find out who might have been at the heart of the incident, approached Orange, Vodafone, 3, O2 and Virgin – all of whom said they were not being investigated. This left remaining operator T-Mobile in the uncomfortable position of confirming its involvement.

Sign up to our free newsletter.
Security news, advice, and tips.

BBC News reports that a T-Mobile spokesman confirmed that it was their customers whose data had been sold to rival phone firms and that the information had been sold without their knowledge.


One of the central problems here is that many companies are not doing enough to secure the data they hold about every one of us. The cheapness and availability of devices like USB thumb drives has just made it easier than ever before to scoop up large databases and waltz out of the office without any suspecting a thing.

Technology does exist to help intercept and control the movement of personal data inside organisations – but many firms have still not taken even the most basic steps to halt it dead in its tracks.

I’m not saying that technology can help prevent any data leaks inside your company – after all, a bad guy in your call centre could write down customer details on paper and put them in his back pocket – but it’s only sensible today to take all the precautions you can, and reduce the risk.

Certainly the authorities seem interested in doing what they can to fight this growing problem. For instance, Christopher Graham of the Information Commissioner’s Office has questioned whether the current fines of £5,000 are really a sufficient deterrent for this kind of crime. In his opinion, the most serious offenders should face a spell in prison for deliberate data theft.

And I have to say that I agree with him – £5,000 is peanuts compared to the huge amount of money that can be earnt by stealing personal data from inside a large corporation.

One big question still remains, however. We know that it was T-Mobile who had the data stolen from them – but who was buying it?

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.