72

Detailed AT&T customer data inappropriately accessed by unlocking company

AT&T

If you're an AT&T customer you may have received an email recently about a security breach within the organization. AT&T has now confirmed personal information such as Social Security numbers and call records may have been accessed by individuals not authorized to view such information.

AT&T has not confirmed how many accounts have been affected but they did confirm the breach took place between April 9-21 and the accounts were accessed as 'as part of an effort to request codes from AT&T that are used to unlock AT&T mobile phones in the secondary mobile phone market.'

"We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization. This is completely counter to the way we require our vendors to conduct business. We know our customers count on us and those who support our business to act with integrity and trust, and we take that very seriously. We have taken steps to help prevent this from happening again, and we have reported this matter to law enforcement."

So while it's not a 'hack' of customer data in the traditional sense, AT&T has taken proactive measures to advise customers of the breach by sending them notices and making them aware of the situation. Still, not the best of scenarios for carrier. Have you received any notices from AT&T?

Source: ITWorld; Via: PhoneScoop

-
loading...
-
loading...
-
loading...
-
loading...

Reader comments

Detailed AT&T customer data inappropriately accessed by unlocking company

72 Comments

And thats the problem, if one day you are the unlucky one of the millions and get your identity stolen, accounts wiped and hundreds of thousand in debt acrued, you will start caring more and don't just brush it off as another boring data breach.

 

 

 

That's a pretty high and mighty statement.

This was a case of a third party vendor having internal access to ATT info. How is a consumer supposed to protect themselves from that? 

Yea I know. lazy ass people attacking people who work hard for their money. If you going to attack someone, attack the banks or something. 

Edward Snowden did the same thing... Released information to others that shouldn't have had access to it. Maybe these things becoming commonplace and people becoming numb to it is exactly what "they" want.
"Its going to happen anyways, why fret? Share more so they can't steal it! I've got nothing to hide."

Some AT&T customers? They don't know which? This was a vendor? Is this information available to them as a vendor? If not then AT&Ts security got hacked. Hence a "breach" and not an "incident".

In other words, "we have little to no internal security on your data, and we just say a few Hail Marys and hope for the best while the revolving door of vendors has their way with our computer systems each week." This sort of thing doesn't just accidentally happen, it's a clear lack of proper access control. I'd like to think that AT&T is going to suffer a deep and unlubricated legal reaming over this, but we all know these companies are never held accountable. "Here's some free credit monitoring, kthxbai."

It states AT&T did not say how many. But where do you see that a portion of customers were notified?

Why would a vendor even have access to this data? They're kinda spinning this as someone else's fault. Of course, we wouldn't have this issue I'd phones weren't locked.

Cause your being billed and if don't pay they want to make sure to report you to the CRAs. That's why did people have to put down a deposit. Just like insurance

Posted via Windows Phone Central App

None this is required for any of that. In Canada my SS number is between me, my employer and the government. That's it. Everything seems to make it to the CRA's just fine. In fact it is not legal for anyone else to require it as a condition of doing business with them.

Similar in UK - National Insurance numbers (what you would call SSNs) are only used to confirm identity regarding benefits (aka state welfare) and for jobs regarding tax purposes (so you don't end up paying 20% of your wages in pure tax because you have been put on what they call "emergency tax code" - example: £1000 is your monthly salary, £200 goes off to the taxman.  For billing they just liase with CRAs directly and check on the electoral roll to verify your identity and address.

Its not legal to require it in the US, but companies ask for it (to make things easier for them) and people voluntarily give it thinking it is. Truth is you can refuse to give it. it may just make getting things a little more complicated, and maybe at a higher cost.

Like lcw731 said, actually, it is not illegal for anyone to use your SSN as a requirement to register for and use their services, and that is why it came to be used by so many businesses.

You do have the right to refuse to hand it over, and ask that another number be created for your account. Some companies will do so without complaint, while others may go so far as to refuse service. It has worked for me on things like health insurance application forms.

The best defense against trivial SSN use is not knowing your own SSN.

I don't know mine and whenever I get asked for it or have to fill out paperwork that wants it, I just say "I don't know my SSN" and 99.9999% of the time they say "ok we don't actually need it".

The only time I have ever given my SSN is when applying for a credit card, passport, and gun license.

So when people who can't possibly hope to afford a mobile contract sign up for one, they can send it off to a collections agency (who will never recover anything) so they can take the loss writeoff to make their earnings reports look better in the shareholder meetings. Oh, and also apparently to provide a valuable service to the identity theft community. Thanks for being a good sport! ;)

I wish companies would quit using Social Security numbers for identification. When they F up using that, our entire life is disrupted.

They should limit the scope of ANYONE authorized to access an account's data to only those fields essential to the task. We need laws mandating this simple principle.

How about they stop locking the damn phones. We are already pay back the full subsidy with a contract.

Agreed   -  I ended up paying some ebay seller $35 to get me an unlock code for my fully paid for 1520 

I suspect that now it's going to be even harder to get an unlock code which is BS

As always they will BS about only 1% of customers being affected when in reality probably everyone had their records breached.

AT&T has violated CPNI (customer propretary network information)multiple times with my account. They gave my name out without verifying me when I called to ask about my account being compromised. Then they Uverse people got me to give them my cell number and changed my cell plan mid bill cycle. After like 10 calls to their call center they would issue me credits and then would text me later that my issue was resolved. The resolution was them reversing my credits. Att sucks and they don't care about customers or our private info..they just care about our money!!

I read a lot of this stealth in Chinese forum. They share some att customers' information, like SSN, to unlock their iPhones. I didn't know where they got them. But now I get it.

Because this allows AT&T to extend the period for getting a subsidized phone without cutting the monthly fee that pays for my own subsidy. I'd they stopped locking they would stop subsidizing and could no longer they away with their sky high rates.

You know what, folks? ATT is probably not the only carrier to outsource services. Call centers, installers, tech support are frequently outsourced. Trust me. None of the carriers have a corporate-owned call center in central Asia. Of course, all other carriers only contract with vendors who hire only boy scouts.

I applaud ATT for going public with this. I would suspect that for every company with which we do business, customer information is far too available to 3rd party vendors' employees.

Perhaps with ATT standing up and saying this shouldn't happen, more companies will pay closer attention too their customers data and their vendors.

AT&T uses third party businesses for unlocking their phones?  AT&T with all of its billions can't afford to hire and pay its own staff for something that important?  They are exclusively the ones that hold the keys and control of that handset and they give the keys to some unknown entity in foreign lands?   On the other hand, maybe this was AT&T's intention all along.  Seriously, what benefit does AT&T get by unlocking "their" phones?  None.  In fact they lose business every time a phone is unlocked and they know this.  That IS precisely why they gave the keys to non-AT&T employees and those that have no allegiance to their company.   AT&T knew that their traitorous customers that want their phones unlocked would have a massive risk of getting their personal information compromised with no in-house oversight.  AT&T washes their hands of the situation and blames their subcontractors and at the same time sends out a word of warning to all of their customers that their personal information  will be sabotaged if they choose to defy AT&T's dictatorship.

The article did not say what service the vendor provides, but it probably was something other than phone unlock services. It could be a call center where they set up or service accounts, requiring verification of the customer's identity. Duh.

It really is in a vendors own interest to maintain security according to their contract with their customer, the carrier, regardless of the laws of the country in which they're located. Too many breaches and they lose the contact.

But you might find it worth noting, LibRep, that many companies are bringing those services back home, although not because of security concerns.

You can use Net10 sim cards in ATT phones without unlocking them. Pay net ten 50 bucks a month and use ATT's network and protect your info and still have the coolest phones!!!