Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Mobile
    • Networking

    AT&T Insider Data Breach More Dangerous Than External Hacking

    By
    Sean Michael Kerner
    -
    June 17, 2014
    Share
    Facebook
    Twitter
    Linkedin
      AT&T security breach

      AT&T has not formally disclosed how many customers the company’s latest data breach affected, but the attack appears to have exposed customer birth dates and Social Security numbers (SSNs).

      It isn’t the first time that AT&T revealed that a data breach put customer information at risk. Yet there is reason to believe that the latest breach, which AT&T disclosed June 13, is more serious than past incidents.

      Security experts eWEEK contacted were not surprised at the news that AT&T customer data was breached, but there was some surprise over the motives of the breach.

      Girish Bhat, director of product marketing for Wave Systems, said that while threats from insiders are no longer surprising, the intended use of this hack—jail-breaking locked AT&T phones so that they can be resold—is indeed surprising.

      Lucas Zaichkowsky, enterprise defense architect at AccessData, told eWEEK, “Three employees of an AT&T vendor with access to records stole them as part of a scheme to make money by unlocking used cell phones. It seems as though there was minimal or no hacking activity in the traditional sense of the word.”

      Joe DeMesy, security associate at Bishop Fox, said it is all too common to see companies be cavalier with customers’ personal data. “The only surprising thing is that it didn’t happen sooner,” DeMesy said. “Then again, perhaps it has, and they only recently detected it.”

      AT&T has dealt with leaked customer information before. Back in 2010, 114,000 email addresses of AT&T’s Apple iPad 3G customers were leaked.

      In that incident, Goatse Security and security researcher Andrew Auernheimer claimed that they were able to exploit a flaw on the AT&T Website. Auernheimer was arrested by the U.S. Federal Bureau of Investigation in 2010 and found guilty in 2012. Auernheimer’s conviction was overturned on April 11.

      “The Auernheimer breach was problematic in that any user accessing the AT&T Website was able to obtain email address information on iPad users,” Bob Stratton, general partner at Mach37, told eWEEK. “[The latest] event seems more significant in that authorized insiders with access to the provisioning system are said to have been misusing access.”

      Bishop Fox’s DeMesy noted that while the Auernheimer breach only affected email addresses, the latest compromise at AT&T disclosed phone records and SSNs.

      AccessData’s Zaichkowsky noted that, in the latest breach, the attackers were abusing the access they had as employees of an AT&T vendor, which makes the scenario even more dangerous than the Auernheimer breach.

      “It makes one wonder what AT&T and other vendors are doing to detect and prevent data leakage,” Zaichkowsky said.
      In the Auernheimer breach, the purpose was allegedly to expose a flaw that already existed in the AT&T system. In the latest breach, the purpose is more sinister in that it was likely tied to a money-making scheme to enable the unlocking of user devices.

      “While the used phone market is cited most frequently in the articles about this event to date, it is a mistake to fail to acknowledge that even current customers sometimes want handsets unlocked at different times than carriers will accommodate,” Stratton said. “If the carriers accelerated their moves to the new CTIA voluntary unlocking rights policies, it is conceivable that the demand for this sort of service might decrease.”

      Mitigation

      Organizations and end-users can do a number of things to help mitigate the risk of data breaches like the one that just hit AT&T.

      Organizations should limit the number of records employees can access at one time and monitor for unusual employee activity, Zaichkowsky said.

      Bishop Fox’s DeMesy said AT&T officials clearly need to look at their internal practices and enforce the principle of least privilege in which employees only get access to the type of data they need to do their jobs. “There is no reason for a vendor seeking to unlock a phone to also have access to phone records and SSNs associated with the account,” DeMesy said.

      Consumers should avoid giving companies personal information, such as their SSNs, DeMesy said. “Many companies will ask for your SSN; far fewer actually require it,” he said. “The frustrating piece is that once a company has your information, there is very little consumers can do to make sure the company adequately protects the data.”

      Consumer vigilance is crucial when it comes to personal information.

      “At the end of the day, we each need to be vigilant by monitoring credit reports and financial accounts for unusual activity,” Zaichkowsky said. “Catching these incidents quickly, reporting them and taking action are personal obligations.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×