AT&T Insider Data Breach More Dangerous Than External Hacking

NEWS ANALYSIS: This isn't the first time AT&T has experienced a data breach, but this time is different and potentially more dangerous

AT&T security breach

AT&T has not formally disclosed how many customers the company's latest data breach affected, but the attack appears to have exposed customer birth dates and Social Security numbers (SSNs).

It isn't the first time that AT&T revealed that a data breach put customer information at risk. Yet there is reason to believe that the latest breach, which AT&T disclosed June 13, is more serious than past incidents.

Security experts eWEEK contacted were not surprised at the news that AT&T customer data was breached, but there was some surprise over the motives of the breach.

Girish Bhat, director of product marketing for Wave Systems, said that while threats from insiders are no longer surprising, the intended use of this hack—jail-breaking locked AT&T phones so that they can be resold—is indeed surprising.

Lucas Zaichkowsky, enterprise defense architect at AccessData, told eWEEK, "Three employees of an AT&T vendor with access to records stole them as part of a scheme to make money by unlocking used cell phones. It seems as though there was minimal or no hacking activity in the traditional sense of the word."

Joe DeMesy, security associate at Bishop Fox, said it is all too common to see companies be cavalier with customers' personal data. "The only surprising thing is that it didn't happen sooner," DeMesy said. "Then again, perhaps it has, and they only recently detected it."

AT&T has dealt with leaked customer information before. Back in 2010, 114,000 email addresses of AT&T's Apple iPad 3G customers were leaked.

In that incident, Goatse Security and security researcher Andrew Auernheimer claimed that they were able to exploit a flaw on the AT&T Website. Auernheimer was arrested by the U.S. Federal Bureau of Investigation in 2010 and found guilty in 2012. Auernheimer's conviction was overturned on April 11.

"The Auernheimer breach was problematic in that any user accessing the AT&T Website was able to obtain email address information on iPad users," Bob Stratton, general partner at Mach37, told eWEEK. "[The latest] event seems more significant in that authorized insiders with access to the provisioning system are said to have been misusing access."

Bishop Fox's DeMesy noted that while the Auernheimer breach only affected email addresses, the latest compromise at AT&T disclosed phone records and SSNs.

AccessData's Zaichkowsky noted that, in the latest breach, the attackers were abusing the access they had as employees of an AT&T vendor, which makes the scenario even more dangerous than the Auernheimer breach.

"It makes one wonder what AT&T and other vendors are doing to detect and prevent data leakage," Zaichkowsky said.
In the Auernheimer breach, the purpose was allegedly to expose a flaw that already existed in the AT&T system. In the latest breach, the purpose is more sinister in that it was likely tied to a money-making scheme to enable the unlocking of user devices.

"While the used phone market is cited most frequently in the articles about this event to date, it is a mistake to fail to acknowledge that even current customers sometimes want handsets unlocked at different times than carriers will accommodate," Stratton said. "If the carriers accelerated their moves to the new CTIA voluntary unlocking rights policies, it is conceivable that the demand for this sort of service might decrease."


Organizations and end-users can do a number of things to help mitigate the risk of data breaches like the one that just hit AT&T.

Organizations should limit the number of records employees can access at one time and monitor for unusual employee activity, Zaichkowsky said.

Bishop Fox's DeMesy said AT&T officials clearly need to look at their internal practices and enforce the principle of least privilege in which employees only get access to the type of data they need to do their jobs. "There is no reason for a vendor seeking to unlock a phone to also have access to phone records and SSNs associated with the account," DeMesy said.

Consumers should avoid giving companies personal information, such as their SSNs, DeMesy said. "Many companies will ask for your SSN; far fewer actually require it," he said. "The frustrating piece is that once a company has your information, there is very little consumers can do to make sure the company adequately protects the data."

Consumer vigilance is crucial when it comes to personal information.

"At the end of the day, we each need to be vigilant by monitoring credit reports and financial accounts for unusual activity," Zaichkowsky said. "Catching these incidents quickly, reporting them and taking action are personal obligations."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.