December 23, 2024

AT&T Admits Insider Illegally Accessed Customer Data

Posted on October 6, 2014 by in Security

AT&T is advising customers that a rogue employee illegally accessed their personal information.

In a breach notification letter sent to customers and the Vermont attorney general, AT&T explained the breach occurred in August. The employee responsible is no longer with the company.

According to the letter, the employee was able to view and may have accessed customer information ranging from social security numbers to driver’s license numbers. In addition, while accessing user accounts, the employee would have been able to view their Customer Proprietary Network Information (CPNI) without authorization. CPNI data is associated with services customers purchase from AT&T.

It is not clear how many customers were affected by the breach or if consumers in other states may have been involved.

“AT&T’s commitments to customer privacy and data security are top priorities, and we take those commitments seriously,” according to the letter.

“Simply stated, this is not the way we conduct business, and as a result, this individual no longer works here,” the letter notes.

AT&T is offering affected consumers a year of free credit monitoring, and said in the letter that any unauthorized changes that had been made to accounts would be reversed. The company has contacted federal law enforcement as well.

Earlier this year, employees of one of AT&T’s service providers accessed customer information without authorization as well. According to AT&T, the perpetrators in that case were trying to gather information that could be used to request codes to unlock AT&T mobile phones so that they could be used with other telecommunications providers.

“Insiders are worse than hackers because there’s no way to protect against them that’s truly effective,” opined Jonathan Sander, strategy and research officer for STEALTHbits Technologies. “If you need to do business, you need people to access information. If the wrong person or the person in the wrong frame of mind decides to use that access badly, what can you do?”

“This proves, yet again, that humans are the weakest link in any security plan,” he added. “It’s the old IT administrator joke about a system error called PEBKAC – Problem Exists Between Keyboard And Chair.”

Brian Prince is a Contributing Writer for SecurityWeek.

Previous Columns by Brian Prince:


SecurityWeek RSS Feed

AT&T to Join Rivals with ‘Transparency Report’

Posted on December 21, 2013 by in Security

WASHINGTON – AT&T said Friday it would join rivals in the tech and telecom sector in publishing a “transparency report” about demands for information from law enforcement agencies.

The announcement came a day after a similar announcement from sector rival Verizon, which follow releases from big technology firms including Google, Apple and Microsoft, and intense scrutiny of these firms in light of revelations of wide-ranging US government surveillance programs.

AT&T said in a statement it would release a semiannual report starting in early 2014 with information “to the extent permitted by laws and regulations.”

The report will include the total number of law enforcement agency requests in criminal cases, subpoenas, court orders and warrants.

AT&T said it believes that “any disclosures regarding classified information should come from the government, which is in the best position to determine what can be lawfully disclosed and would or would not harm national security.”

The telecom giant said that “protecting our customers’ information and privacy is paramount,” and that it complies with legal requests in the countries where it operates.

“We work hard to make sure that the requests or orders are valid and that our response to them is lawful,” the AT&T statement said.

“We’ve challenged court orders, subpoenas and other requests from local, state and federal governmental entities — and will continue to do so, if we believe they are unlawful. We do not allow any government agency to connect directly to our network to gather, review or retrieve our customers’ information.”

The announcements from AT&T and Verizon come after a period when the telecom firms were notably absent from a debate on disclosures about the scope of US surveillance programs from fugitive former intelligence contractor Edward Snowden.

But the telecom and tech firms are still barred from releasing data on national security requests from the FBI and US intelligence services.

A push by the tech sector to get authorization to release the sensitive data requests got a boost this week from an independent review board appointed by President Barack Obama, which recommended that this data be published.

Tech firms have said the sales overseas are being hurt by a perception that the US government can easily gain access to their networks.

© AFP 2013


SecurityWeek RSS Feed