Sophos Cloud Optix
AT&T, one of the US’s biggest telecoms, has fired an insider for having thumbed through customer accounts without authorization and potentially slurping customers’ taxpayer IDs, driver license numbers and more.
Sources familiar with the incident said about 1,600 people were affected, according to The Register.
Michael A. Chiarmonte, director of finance billing operations at AT&T, said in a letter that the now-former employee got into people’s accounts in August:
We recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization in August 2014, and while doing so, would have been able to view and may have obtained your account information including your social security number and driver's license number.
Additionally, while accessing your account, the employee would also have been able to view your Customer Proprietary Network Information without proper authorization.
The CPNI he mentions is information about the services a customer gets from its telecom, such as what type of services a customer buys, how they’re used, and calling details.
It does not, however, include telephone number, name or address, which aren’t considered CPNI.
AT&T’s offering identity-theft insurance and a year of credit monitoring services to customers for free, though both are offered on an opt-in basis.
Subscribers have to enroll using an ID number provided by the company.
AT&T is also recommending that customers change their account passcode if they have one.
If not, why not? Seriously do ponder using one!
At any rate, you’ll need a passcode if you ring up an AT&T rep, access your account online or want help in a retail store, the company says.
Customers won’t have to pay up for any bogus charges made as a result of the data breach, AT&T promises.
This is actually the second time this year that AT&T’s had to write one of those Dear [Name] letters, and both times, an insider’s been behind the breach.
In June, the company confessed to another data breach, this one as part of a con job to unlock and resell devices that a gang of its contractors was pulling.
If AT&T hasn’t figured it out by now, somebody should tell the company that employees, be they current or former, permanent or contractual, are a scary, scary bunch.
A new report from PcW found that, in fact, employees were the most-cited culprits for security incidents this year.
The FBI backs that up: last month, the bureau was warning businesses about the growing threat of employees with an axe to grind.
Sheesh – humans sure are dangerous.
Well, a solution might be in the offing, but it ain’t pretty: Gartner recently predicted that one in three jobs will be converted to software, robots and smart machines by 2025, as new digital businesses require less labor and machines will make sense of data faster than humans can.
Laying off one-third of the world’s workers: that’s a hell of a harsh approach to dealing with insider threats.
Anybody got a kinder, gentler solution for AT&T and all the other organizations that are getting clobbered from the inside out?
Image of man at desk courtesy of Shutterstock.
To me, this is similar to my posting that pertained to the nude celebrity photos posted on the Internet, where I stated:
The celebrities who have been complaining about nude pictures of themselves showing up on the Internet should be shouldering 50% of the blame for this. They are the ones who chose to take nude pictures of themselves. They are the ones who chose to place nude pictures of themselves onto a computerized device (desktop, laptop, iPad, etc.) and then connect that device to a public venue (the Internet). It is well known globally that the Internet is an insecure public network. It is well known globally that even governments, the military, and the Intelligence Community have a difficult time keeping malicious people out of their computers. Placing nude pictures of yourself on a computer of some type and then connecting it to a known insecure public network is similar to laying nude pictures of yourself around your home, leaving your doors and windows unlocked, then someone enters your home when you are unaware and takes some of the pictures and posts them on a public bulletin board or on a lamppost on a street corner. It’s not the owner of the bulletin board who is at fault and it’s not the city who is at fault for the nude pictures being there. It is both the fault of the hacker and the individual who had nude pictures taken of themselves and then placed those nude pictures on a device connected to the public Internet which is known to be insecure. Of course the individual who stole the pictures in the first place is also at fault. But both the hacker who stole the pictures and the individual who knowingly placed the pictures on a device connected to the public Internet share the blame 50/50. Due diligence and common sense were ignored by those who had their nude photographs posted on the Internet.
In the same way, AT&T knowingly posted our highly private and personal information on a known insecure venue (the Internet). As such, whoever at AT&T made that decision is 75% responsible for this loss of citizen information (the other 25% of the blame goes to the hacker). The specific individuals who had the authority at AT&T to knowingly place this information on a known public insecure network should be severely individually punished for their actions…and so should the hacker of course.
I completely disagree. If someone comes into my house and steals something, they are the thief. It doesn’t matter if my house is unlocked or locked, if there is a security system or booby traps or a drawbridge. The act of unauthorized entry is illegal, and removing items is theft. Any person knows this. “Oh, the door was unlocked; the temptation was too great!” is not an excuse. It is the same argument used for rape: “I desired her and I have no self-control so it was her fault”.
It is true that leaving a house unlocked is not prudent. Though, frankly, if someone wants to enter just about any house they can just break a window. Many security systems do not even include locks; they depend on the electronics. And if the electronics fail? Is the victim at fault then, if they had every reason to believe security was in place? Nevertheless, imprudence is not the same as fault.
Using your argument, if you don’t live in a castle with a moat and armed sentry, you are at fault if you have something stolen.
A hacker knowingly seeks out sensitive information. They are in the position of someone entering a house for the purpose of theft. Unless someone could accidentally access the sensitive information, the culpability is entirely the hacker’s.
That doesn’t mean AT&T shouldn’t be prudent and provide better safeguards; and you, as a customer, should make sure they use better security, or take your business elsewhere. But the fault for the data breach, the moral failing and criminal liability, lies with the hacker, who intentionally and knowingly set out to steal that data.
I have a suggestion for AT&T: stop collecting Social Security numbers! How can that possibly be needed to provide mobile services?
The obvious solution: Treat employees as if they are your “greatest resource” and not “stopgaps until we get robots.”
Your “solution” isn’t a solution to the problem at hand (security). It may or may not be good for morale and employee relations, but the root problem here is data theft.
Unfortunately, we’re humans, and humans are a decidedly evil bunch. We generally can’t be trusted, and big companies cannot count on trusting even those they must trust.
Using “robots” only removed the problem one step: Typical employees don’t have access, but now the problem shifts to employees with access.
I’ve found that it doesn’t really matter how well the company treats employees, nor how much they are paid. Some are GOING to be bad apples. There needs to be processes in place to catch the bad apples earlier rather than later. In fact, that seems to have happened here: the person was sacked after only a month. That’s not too bad a time to catch a crook internally.
I’m concerned that “We recently determined that one of our employees violated our strict privacy and security guidelines by accessing your account without authorization.”
This is old school security. I think it’s time to take data security seriously. Security policies should be automatically enforced by our computer systems.
Recent data breaches illustrate that current security approaches can’t tell you what normal looks like in your own systems. Less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report by Verizon.
So, we need to protect the data itself. I think it is time to secure the sensitive data in the entire data flow with modern approaches. Recent studies reported that data tokenization can cut security incidents by 50 %.
Ulf Mattsson, CTO Protegrity
Agreed. And, for more than one reason. Keep data from outsiders and thieves was addressed here. But, security also includes data integrity and accessibility. Your approach, done correctly, can help with all facets of security.
One in three jobs converted to software et al. is not the same that laying off one in three workers. A transformation is coming and we should prepare for it (Darwin’s law in action, maybe?)
People should take reponsability for their own future (and their own actions) but company’s guidance and assistance will be probably very beneficial for the workers… and for the company itself. What is happening does not seem so different from when a couple of centuries ago workers entered factories to destroy machinery.
You are SO right. Change is happening, and will continue to happen. Rapidly, too:
I started playing with computers over 40 years ago. At that time, PCs hadn’t yet been invented.
I started working in the computer field 30 years ago. At that time, PCs existed, but few knew about them.
I started the current phase of my career around 25 years ago, that of doing desktop support. Now I’m probably one of the best. BUT, my job will be obsolete (probably) in 5-20 years.
Technology marches on. We can’t stop it. We CAN manage our reactions to it. Those who can do so well will always have a job available to them. Those who can’t … 🙁
Companies are responsible for maintaining secure records. In this day and age that information should not be accessible by employees as frankly that should be encrypted information. Social Security numbers were never meant to be a form of verification. The problem is that companies do just that. They also ask verification questions that not only can be accessed by public record but is something that also should be encrypted…or not asked at all. Most telephone software can determine what phone number you call from. The problem is that it works best with a landline but most people use cell phones primarily now. Every consumer oriented company should have a passcode and a reminder question if need be. This passcode should never have anything to do with sensitive information.
To answer the posed question I would have to say that the employee should definitely be held responsible and terminated. If the said company has to terminate one third of its work force I would have to assume that the company has poor hiring practices.