AT&T notified some of its wireless customers that unknown perpetrators had tried to hack their accounts. The attack was unsuccessful as no accounts appear to have been breached, the company said in a letter to its customers.
Attackers appear to have used an automated script to see if AT&T telephone numbers were linked to online AT&T accounts, AT&T spokesperson Mark Siegel said in an email Nov. 21. The script tried to link mobile numbers with log-in credentials and then tried to use the credential to log in to the AT&T Website.
Less than 1 percent of the customers were affected, AT&T claimed. Considering the company reported 100.7 million wireless subscribers at the end of the third quarter, that could mean as many as 1 million subscribers were affected.
"We recently detected an organized and systematic attempt to obtain information on a number of AT&T customer accounts, including yours," AT&T said in an email to customers, adding that the company doesn't believe the attackers were able to view any of the information saved in the accounts.
AT&T is still investigating to determine the source of the attack, as well as the intent.
The customers were being warned "out of an abundance of caution," and they should be vigilant for phishing emails or smishing text messages asking for sensitive information. There "may be an increased risk of fraudulent attempts to access" account information, the letter said.
The incident could be an example of hackers trying to get "inference data," or information that can be combined with other pieces of information to "infer something useful," Mike Logan, president of Axis Technology, told eWEEK. Since the type of sensitive information being inferred is usually protected at a higher security level, the breach attempt illustrates the importance of protecting all types of customer data, according to Logan.
While AT&T is to be commended for its prompt action after a potential attack, it would be far better if organizations invest in the infrastructure to prevent the breach in the first place, Steven Sprague, CEO of Wave Systems, told eWEEK. He said a "Y2K-type approach" is necessary to battle cyber-threats.
"Last week a water system, this week a top network provider. We are unprotected, and it is time to do something about it," Sprague said, referring to reports that attackers had remotely accessed an industrial control system at a city water utility and caused a water pump to burn out by repeatedly turning it on and off.
Organizations should be setting up security so that only known devices can have access to sensitive data stored online, instead anyone with the password information having access, according to Sprague. Data should be encrypted online and decrypted only when accessed from the endpoint that has been "properly identified and measured," he said.
"I am sure AT&T is spending millions on new 'pay by phone technology' to buy coffee-how about securing AT&T e-commerce first?" Sprague said.
There's a lot of work that needs to be done by major brands, but if they don't take the initiative to address security head-on, the government needs to step in with some cyber-security regulations, according to Sprague. "It's unfortunate, but it is true," he said.
Congress has been focusing on cyber-security legislation this year. The Senate has been working on a comprehensive bill for the past two years, and there are several bills circulating in the House. Senate Majority Leader Harry Reid, D-Nev., sent a letter on Nov. 16 to Senate Minority Leader Mitch McConnell, R-Ky., detailing claims to bring comprehensive cyber-security legislation to the Senate floor by early 2012, reported The Hill, a congressional blog.
"Given the magnitude of the threat and the gaps in the government's ability to respond, we cannot afford to delay action on this critical legislation," Reid wrote.
This isn't the first time AT&T was targeted by hackers. Last year, hackers managed to collect more than 100,000 email addresses belonging to Apple iPad 3G users by exploiting aflaw in the AT&T Website used to register their tablets. The site was designed to auto-fill user information on the page if the user's unique identifier was recognized. Two men were charged in January, and one pleaded guilty to fraud and hacking charges in June.
This incident does not appear to have any connection to that hack.