AT&T Insider Data Breach More Dangerous Than External Hacking
NEWS ANALYSIS: This isn't the first time AT&T has experienced a data breach, but this time is different and potentially more dangerousAT&T has not formally disclosed how many customers the company's latest data breach affected, but the attack appears to have exposed customer birth dates and Social Security numbers (SSNs). It isn't the first time that AT&T revealed that a data breach put customer information at risk. Yet there is reason to believe that the latest breach, which AT&T disclosed June 13, is more serious than past incidents. Security experts eWEEK contacted were not surprised at the news that AT&T customer data was breached, but there was some surprise over the motives of the breach. Girish Bhat, director of product marketing for Wave Systems, said that while threats from insiders are no longer surprising, the intended use of this hack—jail-breaking locked AT&T phones so that they can be resold—is indeed surprising.
Lucas Zaichkowsky, enterprise defense architect at AccessData, told eWEEK, "Three employees of an AT&T vendor with access to records stole them as part of a scheme to make money by unlocking used cell phones. It seems as though there was minimal or no hacking activity in the traditional sense of the word."
In the Auernheimer breach, the purpose was allegedly to expose a flaw that already existed in the AT&T system. In the latest breach, the purpose is more sinister in that it was likely tied to a money-making scheme to enable the unlocking of user devices. "While the used phone market is cited most frequently in the articles about this event to date, it is a mistake to fail to acknowledge that even current customers sometimes want handsets unlocked at different times than carriers will accommodate," Stratton said. "If the carriers accelerated their moves to the new CTIA voluntary unlocking rights policies, it is conceivable that the demand for this sort of service might decrease." Mitigation Organizations and end-users can do a number of things to help mitigate the risk of data breaches like the one that just hit AT&T. Organizations should limit the number of records employees can access at one time and monitor for unusual employee activity, Zaichkowsky said. Bishop Fox's DeMesy said AT&T officials clearly need to look at their internal practices and enforce the principle of least privilege in which employees only get access to the type of data they need to do their jobs. "There is no reason for a vendor seeking to unlock a phone to also have access to phone records and SSNs associated with the account," DeMesy said. Consumers should avoid giving companies personal information, such as their SSNs, DeMesy said. "Many companies will ask for your SSN; far fewer actually require it," he said. "The frustrating piece is that once a company has your information, there is very little consumers can do to make sure the company adequately protects the data." Consumer vigilance is crucial when it comes to personal information. "At the end of the day, we each need to be vigilant by monitoring credit reports and financial accounts for unusual activity," Zaichkowsky said. "Catching these incidents quickly, reporting them and taking action are personal obligations." Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.