A 21-year-old who goes by the online nickname "Ethics" infiltrated T-Mobile's computer network and for more than a year enjoyed unfettered access to the voice mail and e-mail of the mobile phone provider's customers, authorities said.
He was arrested by the Secret Service in Orange County.
Nicolas Jacobsen read the e-mail of a Secret Service agent, perused photos snapped on cellphones, listened to private voice mails and even offered to retrieve Social Security numbers and other personal information for fellow hackers, according to interviews and documents filed in U.S. District Court in Los Angeles.
The case, brought to light this week on the website SecurityFocus.com, highlights the vulnerability of personal data in an age when virtually every aspect of life is digitized and networked.
"It used to be your answering machine was in the house — now it's at the phone company. You used to get your bank statements in the mail — now it's on the Web," said Bruce Schneier, chief technology officer of Counterpane Internet Security Inc. "Your security depends on trusting many companies to a much greater degree than ever before, and there's nothing you can do about it."
T-Mobile USA Inc. — the nation's fourth-largest mobile phone company, with 16 million customers — said Wednesday that 400 of its users had personal data compromised in 2003 and that it had notified them in writing of the situation. The Bellevue, Wash.-based subsidiary of Deutsche Telekom said it was investigating whether any others had information exposed in 2004.
No credit card information was taken; those data are stored separately, T-Mobile said.
"We got to him early in the game," said T-Mobile spokesman Peter Dobrow.
But given the scale of what Jacobsen is alleged to have done, Schneier said, the incursion ranked as one of the deepest ever revealed: "It might be the winner."
Jacobsen was arrested as part of a larger sweep conducted in October, but his case received almost no attention as prosecutors tried to negotiate a plea agreement with him. Jacobsen, who worked at Irvine software maker Pfastship Logistics, faces a sentence of up to five years in prison if convicted on charges of computer intrusion.
He and his public defender declined to comment.
When Jacobsen was arrested, he was living in a Santa Ana apartment. He moved to Oregon after he was released on bail in November.
In a resume he posted online in 2001, Jacobsen said he had an associate's degree from Umpqua Community College in Roseburg, Ore. But he stressed his nontraditional education, including several security conferences. Jacobsen also listed his other skills: computer systems design, intrusion testing and "social engineering," the art of misleading people into giving information they shouldn't.
Exactly how T-Mobile's network was breached was unclear. In any big computer system, there are hundreds of flaws in the software or architecture that could allow a hacker to infiltrate. A person close to the case said Jacobsen used sophisticated tools and techniques to remain undetected for parts of 2003 and 2004.
Secret Service investigators caught wind of problems at T-Mobile after discovering that offers for information about the company's subscribers had been posted on a website frequented by credit card thieves. The agency was monitoring people who visited the website as part of Operation Firewall, an investigation into hackers and identity thieves.
That inquiry was aided by an informant active in hacker circles. The case took a personal turn last summer when the informant told the Secret Service that hackers were swapping sensitive e-mails from the account of Peter Cavicchia, an agent who investigates cyber-crimes.
Cavicchia used his T-Mobile Sidekick, a portable messaging device, to access his work computer and check e-mail.
"This particular account had limited investigative material which should not have been kept on the PDA," agency spokesman Jonathan Cherry said. Among the documents Jacobsen allegedly copied from Cavicchia's account was a secret mutual legal assistance treaty with Russia.
Although court filings note that the information hacked was "extremely sensitive," including requests for subpoenas, no investigations were compromised, Cherry said.
He said agents had been reminded to keep their files in their office computers but added: "In this new age of cyber-crime, traditional investigative methods have to be supplemented."
Ultimately, Jacobsen was traced to a computer network at a hotel near Buffalo, N.Y., where he was on a business trip for Pfastship, authorities said.
Agents arrested him after he returned to California.
The unnamed informant is cooperating with investigators in hopes of receiving leniency in another case. Court records suggest that the Secret Service was hoping Jacobsen would follow a similar path.
After an initial ban on computer use, Jacobsen is free to go online if the activity is directed by his employer "or is otherwise authorized by the government or the court."