Deutsche Telekom's German mobile phone subsidiary T-Mobile lost control of personal information about 17 million of its customers in early 2006, the company said Saturday.
Silent about the data loss for more than two years, the company published its version of events on Saturday following a report in German news magazine Der Spiegel that the data were being offered for sale on the Internet.
In 2006, T-Mobile was approached by a person claiming to have confidential customer data in his possession, said company spokesman Philipp Blank.
The company immediately informed the public prosecutor, and investigators subsequently found a disk containing T-Mobile data, Blank said. No disk was physically stolen from Deutsche Telekom premises, and the company is unable to account for how the data came to be on the disk found by investigators, Blank said. Prosecutors consider the person who contacted the company as a witness, not a thief, he said.
Data on the disk included customers' name, date of birth, address and mobile phone number, and in some cases the customers' e-mail addresses. No banking details were lost, the company said.
When the loss of the data was discovered, the company reported the loss to the state prosecutor, and began monitoring Internet forums and sites where such stolen information is offered for sale, it said.
T-Mobile found no evidence in the months following the loss that the missing data was on the market, it said.
That changed on Saturday, however, with Der Spiegel's revelation that the data is now for sale on the Internet.
The data for sale includes the home addresses and unlisted phone numbers of many German celebrities, business leaders, billionaires, religious representatives, government ministers and politicians, according to the report.
T-Mobile maintains that there is no evidence that the data has been used to harass or to steal the identity of any of its customers.
Blank said there is still no evidence that the customer data is available for sale on the Internet, and the magazine appears to have obtained customer data from the same person who originally contacted T-Mobile in 2006, he said.
Although the company is unable to account for how the data was originally obtained from its database, it has improved its security procedures since 2006, Blank said. Those procedures now include the use of stronger passwords and access controls, and the logging of accesses to customer databases.
Customers worried about the disclosure of their mobile phone number can have it changed for free, the company said.
Deutsche Telekom is also in hot water for paying a little too much attention to the personal details of some of its customers. Its internal security staff are accused of spying on the private phone use of members of its board of directors, whom the company suspected of leaking sensitive information to journalists. The company said in May that it had called for an independent investigation of the affair.