RealTime IT News

AT&T to Offer Credit Checks After Data Hack

UPDATED: AT&T said it would pay for credit monitoring services to customers whose data could be compromised after hackers broke into its system and accessed credit card information for about 19,000 customers.

The company said it discovered the breach last weekend for its online DSL services. Someone apparently broke into the system and glimpsed personal information from several thousand customers who purchased DSL equipment through the company's online Web store.

AT&T said in a statement it has notified the major credit card companies whose customer accounts were involved and is in the process of notifying customers by e-mail, phone and letter.

The company is also working with law enforcement to determine how the attack occurred and to pursue the perpetrators.

While AT&T didn't provide information about the root cause of the attack, Shlomo Kramer, CEO of security appliance maker Imperva, said there is a greater than 50 percent chance the attack was internal, perhaps by an employee.

"Maybe somebody misused their privileges and stole this information," Kramer said. "I don't know what was the case here, but a surprisingly large percent of these data-centric attacks are actually internal."

Regardless of who probed the network, Kramer said the breach is indicative of how traditional security measures, such as firewalls and intrusion prevention systems (IPS), can't totally shore up a network's defenses, especially if the attack comes from within.

"If AT&T has lots of traditional security solutions like firewalls, intrusion prevention systems, and authentication/authorization systems, very likely all of that didn't help in preventing the attack," Kramer said.

AT&T officials professed their intent to pursue the culprit or culprits.

"We are committed to both protecting our customers' privacy and to weeding out and punishing the violators," said Priscilla Hill-Ardoin, chief privacy officer for AT&T.

"We will work closely with law enforcement to bring these data thieves to account."

Hill-Ardoin acknowledged that there is an active market for illegally obtained personal information.

That's an understatement, given the rash of hacks, stolen laptops and lost or pilfered data storage cartridges that have plagued corporate America in the past year alone.

The Privacy Rights Clearinghouse said that since February 2005, almost 91 million people have had their personal information potentially exposed by unauthorized access to the computer systems of companies and institutions.

In May, the personal information of 26.5 million veterans was compromised when a laptop was pilfered containing the data from the home of a Department of Veterans Affairs' (VA) employee.

Two teens were charged earlier this month with the theft.

In June, Hotel booking site Hotels.com warned 243,000 customers whose names and credit card numbers were on a laptop stolen from an employee of Ernst & Young, the accounting firm.

CardSystems owns the dubious distinction of allowing the biggest breach, in which 40 million credit card numbers were laid bare in June 2005.

The Privacy Rights Clearinghouse has set up a chronology of reported breaches since February 2005 here.