The address book, which contained the private mobile numbers of celebrity acquaintances like Christina Aguilera and Eminem, not to mention Australia's own Mark Phillipoussis, was stored on US mobile phone company T-mobile's Sidekick servers. The Sidekick device allows owners to make phone calls, surf the Web, e-mail, instant message and take pictures, and uses an online server to store at least some information, including phone numbers.
The revelation comes a month after T-Mobile admitted that a hacker had gained access to the names and Social Security numbers of 400 T-Mobile customers. The incident, which was discovered in late 2003, came to light after 21-year-old Nicolas Jacobsen was charged with the crime. Jacobsen pleaded guilty Tuesday to one felony charge of accessing a protected computer and causing reckless damage. He is scheduled to be sentenced in May and faces a maximum possible sentence of five years imprisonment and a US$250,000 fine.
However, according to influential IT security expert Bruce Schneier, the specific case of data insecurity is not the real issue. On his weblog, Schneier weighed in on the T-mobile theft, saying the case demonstrates that "the security of much of our data is not under our control", and that this sort of data theft is relatively new.
Schneier said: "A dozen years ago, if someone wanted to look through your mail, they would have to break into your house. Now they can just break into your ISP. Ten years ago, your voicemail was on an answering machine in your house; now it's on a computer owned by a telephone company. Your financial data is on Web sites protected only by passwords. The list of books you browse, and the books you buy, is stored in the computers of some online bookseller. Your affinity card allows your supermarket to know what food you like. Data that used to be under your direct control is now controlled by others."
The security expert, who publishes the popular e-mail security newsletter Crypto-Gram and regularly testifies before the US Congress on security issues, also pointed out that "We have no choice but to trust these companies with our privacy, even though the companies have little incentive to protect that privacy. T-Mobile suffered some bad press for its lousy security, nothing more. It'll spend some money improving its security, but it'll be security designed to protect its reputation from bad PR, not security designed to protect the privacy of its customers."
And security firm Sophos has warned that there might be worse things in store for those who are too interested in the exploits of the controversial socialite. Sophos issued a security alert this morning warning users to be wary of e-mails containing references to Paris Hilton after "two different worms were discovered claiming to contain hardcore footage of the society heiress."
According to Graham Cluley, a senior technology consultant for Sophos, "It's an old trick but sadly it still often works - disguise your worm as hardcore porn and there are likely to be some computer users who will throw common sense out the window and launch the dangerous file." In a reference to Hilton's popular television show, Cluley said: "Those looking for the simple life, without the trouble of viruses and worms, would be wise to be wary of unsolicited email attachments."
A spokesman for T-Mobile confirmed that information from Hilton's T-Mobile Sidekick has been posted online, but did not mention if the data theft was related to the initial security breach in 2003. "T-Mobile's computer forensics and security team is actively investigating to determine how Ms Hilton's information was obtained," the company said in a statement. "This includes the possibility that someone had access to one of Ms Hilton's devices and/or knew her account password."