UPDATED: AT&T said it would pay for credit monitoring services to
customers whose data could be compromised after hackers broke into its
system and accessed credit card information for about 19,000 customers.
The company said it discovered the breach last weekend for its online DSL
services. Someone apparently broke into the system and glimpsed personal
information from several thousand customers who purchased DSL equipment
through the company’s online Web store.
AT&T said in a statement it has notified the major credit card companies
whose customer accounts were involved and is in the process of notifying
customers by e-mail, phone and letter.
The company is also working with law enforcement to determine how the
attack occurred and to pursue the perpetrators.
While AT&T didn’t provide information about the root cause of the attack,
Shlomo Kramer, CEO of security appliance maker Imperva, said there is a
greater than 50 percent chance the attack was internal, perhaps by an
employee.
“Maybe somebody misused their privileges and stole this information,” Kramer
said. “I don’t know what was the case here, but a surprisingly large percent of
these data-centric attacks are actually internal.”
Regardless of who probed the network, Kramer said the breach is indicative
of how traditional security measures, such as firewalls and intrusion
prevention systems (IPS), can’t totally shore up a network’s defenses,
especially if the attack comes from within.
“If AT&T has lots of traditional security solutions like firewalls,
intrusion prevention systems, and authentication/authorization systems, very
likely all of that didn’t help in preventing the attack,” Kramer said.
AT&T officials professed their intent to pursue the culprit or culprits.
“We are committed to both protecting our customers’ privacy and to
weeding out and punishing the violators,” said Priscilla Hill-Ardoin, chief
privacy officer for AT&T.
“We will work closely with law enforcement to
bring these data thieves to account.”
Hill-Ardoin acknowledged that there is an active market for illegally
obtained personal information.
That’s an understatement, given the rash of hacks, stolen laptops and
lost or pilfered data storage cartridges that have plagued corporate America
in the past year alone.
The Privacy Rights Clearinghouse said that since February 2005, almost 91
million people have had their personal information potentially exposed by
unauthorized access to the computer systems of companies and institutions.
In May, the personal information of 26.5 million veterans was compromised
when a laptop was pilfered
containing the data from the home of a Department of Veterans Affairs’ (VA)
employee.
Two teens were charged
earlier this month with the theft.
In June, Hotel booking site Hotels.com warned
243,000 customers whose names and credit card numbers were on a laptop
stolen from an employee of Ernst & Young, the accounting firm.
CardSystems owns the dubious distinction of allowing the biggest breach,
in which 40 million credit card numbers were laid bare in June 2005.
The Privacy Rights Clearinghouse has set up a chronology of reported
breaches since February 2005 here.