At the moment, T-Systems subsidiary MMS is migrating about 2,300 customers to the most up-to-date system version using the Cloud Manager service . The latest offering allows customers to use Microsoft Exchange-based mailbox systems containing one or more e-mail addresses. The migration has already been completed for almost 1,200 customers.
An incident occurred in which the migration process caused a technical error. One of the steps in the migration of the relevant customer's mailbox took a disproportionately long time. Due to a temporary technical error, the affected customer continued to have access to their mailbox while the migration process was running. At this point in the process, not all access rights to the mailbox had been fully re-established and as a result the user was allocated excessively wide read privileges.
Due to the error, that customer had access to contact details, such as telephone numbers, e‑mail addresses and also some postal addresses, stored in the server for other customers. Sensitive data such as bank details and passwords are not stored in the affected database.
Countermeasures taken immediately
Deutsche Telekom took technical precautions immediately upon becoming aware of the problem in order to ensure that such an error can never occur again. We have informed the regulatory authorities of the incident, as well as the customers whose data was exposed to this access. We have requested the customers affected by the error to delete any data they may have received wrongly as a result and to confirm to us that they have done so.
Further investigation into the incident has revealed that a further error may have occurred during the update, which, however, has generated a different pattern to the current one. We are unable to absolutely rule out the possibility that up to 36 customers were able for a time to access the data of other customers. In this case too, the affected data was limited to such contact details as telephone numbers and e-mail addresses.
The error affected only T-Systems' hosted Exchange customers. The incident had no effect on customers of Exchange Online, Microsoft's cloud service, for which T-Systems fulfills the role of Data Trustee.