Two AT&T Data Breaches Draw Attention to Insider Access Issues

NEWS ANALYSIS: AT&T's second insider data breach this year underscores the need for companies to better manage insider access to sensitive customer data.

AT&T data breach

Telecommunications giant AT&T is reporting that, once again, an insider gained unauthorized access to customer information. This is the second time in 2014 that an insider has leaked confidential AT&T customer information.

In a letter sent to the approximately 1,600 customers whose information was accessed in the latest breach, AT&T admitted that customer privacy rules were violated by an AT&T employee.

"We recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization in August 2014, and while doing so, would have been able to view and may have obtained your account information, including your social security number and driver's license number," AT&T's letter stated.

AT&T notes that the individual who gained unauthorized access to customer account information is no longer employed at AT&T, any unauthorized account charges will be reversed and free credit monitoring is also being made available to affected customers.

On June 13, AT&T disclosed an insider attack that exposed customer birth dates and social security numbers. In the June breach, the motive was to help resellers unlock or "jailbreak" AT&T phones so they could be resold. The motive in the new insider breach has not yet been publicly revealed.

Security experts eWEEK spoke with were not surprised by the latest AT&T insider breach disclosure.

"Sensitive data is working its way into so many systems, internal and external, that organizations are struggling to lock it down properly," Gerry Grealish, chief marketing officer, at Perspecsys, said. "AT&T and other enterprises need to allow access for the business to operate efficiently, but constraining that access and finding the right balance is proving to be a significant challenge."

Marc Maiffret, CTO of BeyondTrust, noted that what is most surprising is how prevalent insider attacks still are and that many companies still rely on paper policies to prevent employees from abusing their access to information.

"This is another great reminder that true technical controls need to be put in place to better manage the privileges and access that employees have to data and systems," Maiffret said.

The latest AT&T insider breach says a few things about the current state of access control and security policies, said Renee Bradshaw, senior solutions marketing manager at NetIQ.

"It tells me that AT&T, like many huge corporations with extended infrastructures, struggles to understand who has access to what sensitive data, especially when third parties are involved," Bradshaw said.

From a technology perspective, there are tools and products that can help organizations, large or small, to get a grasp on access control.

Identity and access management (IAM), encryption and tokenization tools are all hot right now, Grealish explained. "Allowing data to be in the clear, in as few places as possible, in addition to ensuring that only the right folks can have access to it, even in new cloud solutions these companies are adopting, is on the top of most CISOs' agendas," he said.

Limiting Risks of Insider Breaches

AT&T and other companies facing the challenge of locking down access can take steps to limit the risks of insider breaches. The idea of having technical controls in place is a key best practice and a proactive step that needs to be taken.

"It is a legacy idea to think that drafting paper policies on what employees can and cannot do is in any way useful for anything other than having legal grounds to fire or take action against an employee," Maiffret said. "For prevention, companies must strive to map these business rules to technical controls."

Bradshaw echoed that sentiment and added that it's important to clearly identify where sensitive customer information resides and then place protections around that data.

"Policies can be put into place that clearly identify whether an activity is unauthorized or abnormal, and monitoring implemented to ensure that these policies are being adhered to," Bradshaw said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.