Anatomy of a Breach

Anatomy of a Breach: The Sidekick Cloud Disaster — When Microsoft Lost Everyone's Data

> series: anatomy_of_a_breach —— part: 010 —— target: microsoft_danger —— users_affected: 800,000 —— data_status: almost_certainly_lost<span class="cursor-blink">_</span>_

Hedgehog Security 31 October 2009 13 min read
data-breach microsoft cloud-computing data-loss backup-failure sidekick t-mobile series
Breach #010

Every contact. Every photo. Almost certainly lost.

On 10 October 2009, T-Mobile sent a message to its Sidekick smartphone customers that contained some of the most alarming words in the history of cloud computing: 'Personal information stored on your device — such as contacts, calendar entries, to-do lists or photos — that is no longer on your Sidekick almost certainly has been lost as a result of a server failure at Microsoft/Danger.'

Approximately 800,000 users were affected. The Sidekick was designed around the cloud — all user data was stored on Danger's servers (Danger being a Microsoft subsidiary acquired for $500 million in 2008), not on the device itself. When the servers failed, and the backups were also destroyed, users lost everything — contacts, calendars, photos, notes, and to-do lists. TechCrunch called it 'beyond FAIL.' At the time, it was described as the biggest disaster in cloud computing history.

What Happened
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

A failed upgrade destroyed both primary and backup data.

The incident began on 2 October 2009 when Sidekick users started experiencing data service outages. The root cause was a Storage Area Network (SAN) upgrade performed by contractor Hitachi Data Systems on the servers running the Sidekick cloud service. Something went catastrophically wrong during the upgrade — the primary database was corrupted, and the backup database, which should have provided a safety net, was also rendered unusable.

Sidekick Data Loss — Timeline
── 2 October 2009 ─────────────────────────────────────────
Sidekick users begin experiencing data service outages
Contacts, calendars, photos inaccessible
Voice calls and SMS still functional

── 2–10 October ───────────────────────────────────────────
Outages continue for over a week
Microsoft/Danger unable to restore service
Users warned: DO NOT power off or reset your device
(Data still on device would be lost on restart)

── 10 October 2009 ────────────────────────────────────────
T-Mobile announces data 'almost certainly has been lost'
'Likelihood of a successful outcome is extremely low'
T-Mobile suspends sale of all Sidekick models

── 15 October 2009 ────────────────────────────────────────
Microsoft announces recovery of 'most or all' data
Restoration begins, starting with contacts
Microsoft CEO Ballmer: 'It is not clear there was data loss'

── Aftermath ──────────────────────────────────────────────
T-Mobile offers $100 gift card and 1 month free service
Lawsuits filed against Microsoft and T-Mobile
Public confidence in cloud computing significantly shaken
The Cloud Computing Warning

The breach that questioned whether the cloud was safe.

The Sidekick data loss was not a hacking incident — it was an operational failure. No attacker exploited a vulnerability. No malware was deployed. A routine storage upgrade, performed by a contractor, destroyed both the primary database and its backup. The lesson was not about perimeter security or access control — it was about the fundamental reliability of cloud infrastructure and the catastrophic consequences when backup and recovery processes fail.

Cloud-Only Architecture with No Local Backup
The Sidekick was designed to store all user data in the cloud — the device itself retained only a volatile cache. This meant that when the cloud failed, there was no fallback. Users who had purchased the optional $10 desktop backup application were the only ones with a safety net. The architectural decision to eliminate local storage created a single point of failure that was realised catastrophically.
Backup Destroyed Alongside Primary
The backup data was stored on infrastructure accessible from — or dependent on — the same systems as the primary data. When the SAN upgrade failed, it took both copies with it. This is the same pattern we saw in the Virginia prescription ransom (Breach #006) and that we see repeatedly in ransomware incidents: backups that are not genuinely independent of the systems they are protecting are not backups at all.
Contractor Error with No Safety Net
The precipitating event was work performed by contractor Hitachi Data Systems. The absence of adequate pre-upgrade snapshots, rollback procedures, and independent backup verification meant that a single contractor error could — and did — destroy the entire dataset. Third-party risk in the supply chain extends to operational maintenance, not just external threats.
Post-Acquisition Neglect
Microsoft acquired Danger for $500 million in 2008 but reportedly did not upgrade the Sidekick infrastructure to Microsoft's own data centre standards. Staff attrition after the acquisition meant that institutional knowledge of the Danger systems was lost. The infrastructure that hosted 800,000 users' data was effectively orphaned within Microsoft — maintained but not improved.
What Testing Would Have Caught

Backup validation would have prevented this.

This incident was not preventable through penetration testing in the traditional sense — it was an operational failure, not a security compromise. However, the controls that would have prevented it are controls we assess as part of our broader security and resilience evaluations.

Failure What Should Have Existed
No independent backup verification Backup integrity should be verified regularly through test restoration — not just by checking that backup jobs complete, but by actually restoring data and confirming it is usable. Our infrastructure assessments include backup and recovery validation as a standard component.
Backup on same failure domain as primary Backups must be stored on infrastructure that is genuinely independent of the primary systems — different storage, different network, ideally different location. The Danzell Cyber Essentials update has repositioned backup guidance prominently, signalling that resilience is becoming a certification concern. Our Cyber Essentials assessments evaluate backup arrangements.
No pre-upgrade snapshot or rollback plan Any maintenance operation that touches production data should be preceded by a verified snapshot and a tested rollback procedure. This is standard change management — and its absence in a $500 million Microsoft subsidiary was inexcusable.
No continuous monitoring of data integrity SOC in a Box monitors system health and data integrity continuously — detecting anomalies in storage, database, and backup systems that indicate a failure in progress, not just a failure after the fact.
Lessons for Today

Cloud does not mean someone else's problem.

The Sidekick data loss occurred in 2009, when cloud computing was still novel and public trust was fragile. Sixteen years later, cloud services are ubiquitous — Microsoft 365, Google Workspace, AWS, Azure — and the assumption that 'it is in the cloud, so it is safe' is widespread. But the fundamental lesson of the Sidekick disaster remains: cloud providers can lose your data, and when they do, it is your problem, not theirs.

Our cloud configuration review service assesses the security and resilience of your cloud estate — verifying that backup and recovery procedures exist, that they are independent of the primary systems, and that they have been tested. For organisations that need continuous assurance that their cloud infrastructure is configured correctly and their data is protected, SOC in a Box provides 24/7 monitoring of cloud environments alongside traditional infrastructure. And when data loss or breach occurs, UK Cyber Defence provides the incident response capability to investigate, recover, and restore.

Cloud Security

Is your cloud data genuinely backed up?

Our <a href="/penetration-testing/cloud-configuration-review">cloud configuration review</a> verifies that your Microsoft 365, Azure, AWS, or Google Cloud environment is configured securely and that your backup and recovery procedures actually work. Because the lesson of the Sidekick disaster — that cloud data can be lost — has not changed, even if the technology has.

Review Your Cloud Security Next: UK Government Data Loss Epidemic
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2023

Anatomy of a Breach: T-Mobile — 37 Million Customers via API and the Company's Sixth Appearance in This Series

Breach #170. In January 2023, T-Mobile US disclosed that an attacker had been accessing 37 million customer records through one of its APIs since approximately 25 November 2022. The exposed data included names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and plan details. T-Mobile stated that no passwords, payment card information, or Social Security numbers were compromised. The breach — T-Mobile's sixth documented appearance in the Anatomy of a Breach series — was discovered on 5 January 2023, meaning the attacker had approximately 41 days of undetected API access.

data-breach t-mobile
12 min read
Anatomy of a Breach 31 August 2021

Anatomy of a Breach: T-Mobile — 40 Million Records Including Social Security Numbers in the Company's Worst Breach Yet

Breach #152. In August 2021, T-Mobile US disclosed its most severe data breach to date: approximately 40 million records of former and prospective customers — including names, dates of birth, Social Security numbers, and driver's licence numbers — had been stolen, along with personal data from an additional 7.8 million current postpaid customers. The attacker, a 21-year-old American, claimed to have accessed T-Mobile's systems through an unprotected router and exploited weak security to access a database containing over 100 million records. T-Mobile ultimately agreed to a $500 million settlement. It was the company's fifth documented breach in this series.

data-breach t-mobile
12 min read
Anatomy of a Breach 31 August 2018

Anatomy of a Breach: T-Mobile US — 2 Million Customer Records Exposed Through an API Vulnerability

Breach #116. In August 2018, T-Mobile US disclosed that attackers had exploited an API vulnerability to access the personal data of approximately 2 million customers — including names, email addresses, phone numbers, billing zip codes, and account numbers. The breach, discovered on 20 August, was the latest in a series of T-Mobile security incidents spanning both the UK and US operations documented throughout this series. The API vulnerability echoed the Moonpig, Snapchat, and AT&T iPad breaches — reinforcing that API security remains one of the most persistent gaps in modern application security.

data-breach t-mobile
11 min read
All Posts Get in Touch