Not all data breaches are caused by sophisticated criminal organizations looking to download financial data or confidential information. Sometimes, a breach is discovered by accident when people are just doing the things they normally do.
Such was the case of the recent AT&T breach. Employees from one of the telecom’s third-party vendors were able to access information that should only be available to the customer. In response to this incident, AT&T’s executive director for media relations Mark Siegel explained the situation saying, “We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization. This is completely counter to the way we require our vendors to conduct business.”
Who was affected?
AT&T has not released any information as to how many customers were affected by this, and they have not identified who the vendor who was responsible. It can be safely assumed that the breach exposed the information belonging to a significant number of users since California requires companies who have a data breach that affects over 500 users to publicly disclose the event. Papers filed with the California Attorney General’s office indicated that AT&T was complying with this law, as a result, of this hacking incident.
If the breach was contained to 500 uses alone, it represents a small number of affected users by most accounts. However, the details of what happened should be an eye opener as it shows just how little goes into securing confidential information; even in large organizations.
How did this happen?
Cell phone carriers, like AT&T, use special software to lock the phones sold so that they can only be used on their network. Subscribers can unlock these phones by requesting an unlock code from the carrier. Once unlocked, the phone can be moved to another carrier’s network. This request is common among customers who switch carriers but choose to keep their current phone. It is also used to unlock phones that are sold on the secondary market.
This was exactly what the third-party vendor responsible for this breach did on AT&T phones. They assisted customers with unlocking phones, however, the way they did this violated AT&T’s privacy policies, and, therefore, exposed a hole in the security.
That hole came in the form of three employees who were able to contact AT&T pretending to be the customer. Not only did they spoof customers, but they did so without proper authorization. As a result the employees in question, who have since been fired, were able to see birthdates, social security numbers and Customer Proprietary Network Information (CPNI).
How were consumers notified?
To comply with California law, a public notification was made through the state’s government office. This notification was the same letter that AT&T mailed to its customers who were thought to have had their information exposed during the time period of the breach; April 9, 2014 to April 21, 2014. The letter states that law enforcement was also notified about the situation. No explanation or notification has been posted to AT&T’s website as of yet.
How were consumers impacted?
During the investigation of this data breach, it was reported that there was no theft of any financial or personal information. To further protect customers who may have had information exposed, AT&T has extended an offer to provide them with one year of credit monitoring paid for by AT&T. Customers will have to sign up for this service though, it is not automatic. AT&T has not commented as to whether or not any of the phones that were unlocked were previously reported as stolen.
The greatest impact to customers, and the general public is based in how this happened. Much like the Target breach, the problem came from a third-party vendor and not the company itself. As more and more companies outsource work to domestic and overseas vendors, there is a strong possibility that these smaller businesses will be the source of future attacks because they have less security processes in place. Consumers would be wise to learn more about how companies handle security and what partnerships with smaller companies are in place.
How was the company impacted?
The full impact felt of the breach from AT&T’s perspective is uncertain. Right now, they must deal with the damage to their reputation, as a result, of this. Should it come to light that information was sold, used in identity theft or used to commit fraud then there may be legal fees, fines and lawsuits that may follow.
How can they fix it?
Fixing a breach like this requires a company to evaluate the security processes and policies of their partners. Companies always need to rely on their business-to-business relationships for things that they simply can’t handle in-house and because they may find that outsourcing tasks can save them money. However, part of the request for proposal process should include a review of what security procedures are in place. What measures will they take to avoid being targeted and attacked by sophisticated threats? What type of background check do the employees who may have access to sensitive data undergo? What are they willing to do should a hacking incident be traced back to them? Having answers to these questions could not only help prevent attackers from using them to attack your company, but they could also help prevent you from having to take 100 percent of the responsibility for a breach that is not entirely your fault.