A computer intruder broke into T-Mobile USA's computer systems more than a year ago and obtained the names and Social Security numbers of 400 customers, the Bellevue-based company...

Share story

A computer intruder broke into T-Mobile USA’s computer systems more than a year ago and obtained the names and Social Security numbers of 400 customers, the Bellevue-based company acknowledged yesterday.

The intruder also obtained investigative material from a U.S. Secret Service agent who was coincidentally investigating the incident.

The case led to the indictment last year of Nicholas Lee Jacobsen, 21, in U.S. District Court of the Central District of California.

Most Read Stories

Unlimited Digital Access. $1 for 4 weeks

Jacobsen, who was arrested in October, was charged with “impairing the integrity” of “a computer system” and causing at least $5,000 in losses during a one-year period.

The investigation of the T-Mobile break-in became widely public yesterday after details were published on Security Focus, a Web site owned by computer-security giant Symantec. The investigation was part of a U.S. Secret Service effort called “Operation Firewall” to target global credit-card fraud and identity theft over the Internet.

T-Mobile USA, part of German-based Deutsche Telekom, has about 16.3 million subscribers and is the fifth-largest carrier in the U.S. It markets heavily to younger users and draws an A-list celebrity crowd with its T-Mobile Sidekick, a device that allows wireless e-mailing, instant messaging and Web browsing.

“Safeguarding T-Mobile customer information is a top priority for the company,” T-Mobile said in a statement yesterday.

According to the company, in late 2003, it discovered that someone had gained unauthorized access to a portion of one of its internal computer systems.

“We immediately took steps that prevented any further access to this system,” the company said.

T-Mobile said it then asked the U.S. Secret Service to investigate. During this investigation, it was determined that the intruder was able to see the names and Social Security numbers, but not credit-card information, of 400 customers.

“These customers were notified in writing of this incident,” the company said. It did not elaborate on when the customers were notified. According to some state laws, a company must notify customers of a security breach within an allotted time period.

Investigators said they traced the hacker’s online activities to a hotel in Williamsport, N.Y., where Jacobsen was staying.

Court records said an online offer tied to Jacobsen in March 2004 claimed hackers could look up the name, Social Security number, birthdate and passwords for voice mails and e-mail for T-Mobile customers.

After his arrest in California, Jacobsen was released on a $25,000 bond posted by his uncle in Oregon, who was ordered to keep his own personal computer locked up so Jacobsen couldn’t use it.

Jonathan Cherry, a spokesman for the U.S. Secret Service in Washington, D.C., said one of the victims in the incident was a Secret Service agent who was part of Operation Firewall.

In addition to the e-mail and personal-computer files of hundreds of customers the intruder had access to, the hacker obtained documents of Secret Service agent Peter Cavicchia, who was investigating the hacker and was using his personal T-Mobile account.

“It is true that the personal account of a Secret Service agent was compromised,” Cherry said. The information should not have been kept on the agent’s personal device, he said.

Cavicchia, a respected investigator who has specialized in tracking hackers, won the Secret Service’s medal of valor for his actions in the Sept. 11, 2001, terrorist attacks.

Although he resigned, he told The Associated Press he was not asked to leave and said he was cleared during an internal investigation into whether he had improperly revealed sensitive information or violated agency rules.

Cavicchia said Secret Service supervisors frequently e-mailed documents and other files to his wireless computer to review while he was traveling.

“The only way for me to review documents while I was on the road was for them to send them to that address, which they knew wasn’t an agency address,” Cavicchia said.

Reporting in this story is by Seattle Times technology reporter Tricia Duryee and The Associated Press.