Case Study

Reinventing T-Mobile's Security Function

T-Mobile needed to reinvent its security function, so it recruited a veteran team to shape a new asset protection division. The goal: Inject risk calculations into every business decision.

By Scott Berinato

May 01, 2006 — CSO —

Paris Hilton is the pink elephant in the room. For it was data from her wireless device that was hacked, and her wireless device was a T-Mobile Sidekick. A clever 21-year-old named Nicolas Jacobsen hacked the data. In fact, he had the run of T-Mobile's servers on and off for more than a year. He took what he wanted from any of T-Mobile's 16 million accounts, including Social Security numbers, account passwords and e-mails. (News of the Hilton hack garnered more attention than these breaches, dwarfing the fact that Jacobsen had also hacked the Sidekick of a Secret Service agent and published excerpts of sensitive Secret Service e-mails and documents.)

Jacobsen was caught in October 2004 and pled guilty four months later. (He was sentenced two months after that but the judge sealed the proceedings.) For T-Mobile, Jacobsen's downfall was a mostly insignificant development. Because even before Jacobsen could be sentenced, a copycat hacker accessed Hilton's account again and this time published some of her photos and data from her phone's memo pad and address book.

T-Mobile had drawn national attention, but the worst kind, as it became the latest poster child of bad security. "T-Mobile is in the news again, with another celebrity cell phone hack," jabbed the irreverent online IT news site The Register. The story, called "Big Company, Crap Security," put T-Mobile's misfortune in close proximity to another bete noire of the moment, ChoicePoint. "Combined with other high-profile leaks, T-Mobile's internal security is not looking good," the story said.

But all of that was more than a year ago. Now, in one room sit three of the top security executives recruited to effect change at T-Mobile by creating a new asset protection division. They are: Frank Porcaro, vice president and director of the new asset protection division; Ed Telders, director of information security, policy and compliance; and Rick Roberts, senior manager of security services. With them in the room, of course, is the pink elephant.

"If anything," says Telders, not mentioning that celebrity's name, "that thing helped accelerate the process, but the vision was prior to all of that stuff."

The vision Telders speaks of is ambitious, because T-Mobile decided to put its security function through an extreme makeover. The overarching idea is focus. T-Mobile had security spread throughout its organization. Now the company wants to pull all of its security into one place, with one leader, to both reduce risks and increase efficiencies.

• Email
• Print
• Comments
• Digg This
• SlashDot

• T-Mobile: Leaders Lineup
• All Over the Map
• Harland Clarke Rechecks Risk Management