Unknown attackers have unsuccessfully used an automated script to try to access customer accounts on the AT&T Website, AT&T wrote in a letter to customers.
notified some of its wireless customers that unknown perpetrators had tried to
hack their accounts. The attack was unsuccessful as no accounts appear to have
been breached, the company said in a letter to its customers.
appear to have used an automated script to see if AT&T telephone numbers
were linked to online AT&T accounts, AT&T spokesperson Mark Siegel said
in an email Nov. 21. The script tried to link mobile numbers with log-in
credentials and then tried to use the credential to log in to the AT&T
than 1 percent of the customers were affected, AT&T claimed. Considering
the company reported 100.7 million wireless subscribers at the end of the third
quarter, that could mean as many as 1 million subscribers were affected.
recently detected an organized and systematic attempt to obtain information on
a number of AT&T customer accounts, including yours," AT&T said in
an email to customers, adding that the company doesn't believe the attackers
were able to view any of the information saved in the accounts.
is still investigating to determine the source of the attack, as well as the
customers were being warned "out of an abundance of caution," and
they should be vigilant for phishing emails or smishing text messages asking
for sensitive information. There "may be an increased risk of fraudulent
attempts to access" account information, the letter said.
incident could be an example of hackers trying to get "inference data," or
information that can be combined with other pieces of information to
"infer something useful," Mike Logan, president of Axis Technology,
. Since the type of
sensitive information being inferred is usually protected at a higher security
level, the breach attempt illustrates the importance of protecting all types of
customer data, according to Logan.
AT&T is to be commended for its prompt action after a potential attack, it
would be far better if organizations invest in the infrastructure to prevent
the breach in the first place, Steven Sprague, CEO of Wave Systems, told eWEEK
. He said a "Y2K-type
approach" is necessary to battle cyber-threats.
week a water system, this week a top network provider. We are unprotected, and
it is time to do something about it," Sprague said, referring to reports
that attackers had remotely
accessed an industrial control system
at a city water utility and caused a water
pump to burn out by repeatedly turning it on and off.
should be setting up security so that only known devices can have access to
sensitive data stored online, instead anyone with the password information
having access, according to Sprague. Data should be encrypted online and
decrypted only when accessed from the endpoint that has been "properly
identified and measured," he said.
am sure AT&T is spending millions on new 'pay by phone technology' to buy
coffee-how about securing AT&T e-commerce first?" Sprague said.
a lot of work that needs to be done by major brands, but if they don't take the
initiative to address security head-on, the government needs to step in with
some cyber-security regulations, according to Sprague. "It's unfortunate,
but it is true," he said.
has been focusing on cyber-security legislation this year. The Senate has been
working on a comprehensive bill for the past two years, and there are several
bills circulating in the House. Senate Majority Leader Harry Reid, D-Nev., sent
a letter on Nov. 16 to Senate Minority Leader Mitch McConnell, R-Ky., detailing
claims to bring comprehensive cyber-security legislation to the Senate floor by
early 2012, reported The Hill, a congressional blog.
the magnitude of the threat and the gaps in the government's ability to
respond, we cannot afford to delay action on this critical legislation," Reid
isn't the first time AT&T was targeted by hackers. Last year, hackers
managed to collect more than 100,000 email addresses belonging to Apple
iPad 3G users
by exploiting a
flaw in the AT&T Website
used to register their tablets. The site was
designed to auto-fill user information on the page if the user's unique
identifier was recognized. Two men were charged in January, and one pleaded
guilty to fraud and hacking charges in June.
incident does not appear to have any connection to that hack.