Got an amazingly quick response from the T-Mobile PR department by phone, followed by an emailed statement, which will follow with commentary added.

T-MOBILE STATEMENT ON SECURITY AND PRIVACY

T-Mobile cares greatly about protecting the security and privacy of our valued customers. We want to ensure our customers that protecting their information is a top priority for the company. Like many organizations, T-Mobile is very concerned by the growing phenomenon of personal data being illegally sought and distributed.

"We are aggressively investigating the illegal dissemination of information over the Internet of T-Mobile customers' personal data," said Sue Swenson, chief operating officer, T-Mobile USA, Inc.

Notice that she makes no mention of doing any actions on their own part to improve security, only that they will follow up on what has already been found...

T-Mobile is actively working with federal law enforcement agencies to investigate any criminal activity we uncover that impacts our customers, including vandalism, theft or exposing of personal data, and help bring those responsible to justice. In addition, the company will initiate a consumer education campaign designed to help inform customers on steps they can take to help secure their own personal data.

Again, the statement seems to imply that T-Mobile intends to make no changes to improve security internally, but rather that the see this as a problem of the customers choosing poor passwords, never mind that this would have no effect on the BEA update issue...

Along with the considerable resources T-Mobile has and will continue to dedicate to customer security, there are some specific actions we recommend customers take to help protect their mobile phone accounts and personal data.

Another re-direction of blame towards the customer, and no explanation of why with said 'considerable resources', they were unable to apply an urgent patch till 18 months after it had been released...

� T-Mobile customers should ensure they utilize passwords and change them frequently to safeguard personal information in the following three areas:

o On my.t-mobile.com - the Web self-service tool.

o Attached to their account, when calling a Customer Service Representative.

o On their voicemail box.

� Be sure the password to access my.t-mobile.com has a combination of letters and numbers.

� Change passwords at least every 60 days; never give out passwords, even to friends or family; and memorize passwords.

� If a device is lost, or notice suspicious activity on an account, call T-Mobile immediately.

If a T-Mobile customer has a question about service, or would like further password assistance, simply visit my.t-mobile.com; or a T-Mobile representative can help you by dialing 611 from a T-Mobile phone, or calling 1-800-937-8997.

Notes:

1. Customer services representatives sampled were not yet prepared for any customer questions on the issue.

2. Corporate headquarters re-directs callers with questions to an automated voice-recognition system that seems designed to inflame an angry customer. Despite telling the operator I wished to make a complaint regarding security of customer data, the system she transfered me to had no recognition for 'complain', 'complaint', 'privacy', or 'security' keywords.

Most amusing is that the PR rep's email address is '@wagged.com'; this appears to be a tounge-in-cheek homage to the PR-guy-fakes-a-war movie "Wag The Dog". A not-too-subtle reminder of the difference between a journalist and a PR flack...but not one I'd think you'd want to associate with your PR statements. It's like saying your mail comes from person-who'd-lie-for-a-buck.com