Print 6 comment(s) - last by mushkins.. on Jun 18 at 8:01 AM

Number of customers affected is unknown; theft may have been aimed at unlocking stolen smartphones

A series of "snail-mail" (traditional postage) letters and an accompanying filing with the Office of the Attorney General for the State of Calif. (OAG-CA), AT&T, Inc. (T) has disclosed a data breach, which has affected an unspecified number of U.S. wireless subscribers.

The breach occurred between April 9 and 21.  During that time, AT&T accuses three contractors working at an unnamed service provider of abusing their access to customer records to download a treasure trove of personal/financial information on customers, including:
  • social security numbers (only some customers)
  • dates of birth
The attack was discovered on May 19, according to the filing.

AT&T spokesman Seth Bloom gave DailyTech the following statement:

We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization. This is completely counter to the way we require our vendors to conduct business. We know our customers count on us and those who support our business to act with integrity and trust, and we take that very seriously. We have taken steps to help prevent this from happening again, notified affected customers, and reported this matter to law enforcement.

AT&T wrote in the letter that it believes the contractors were involved with efforts to unlock smartphones, hinting that the end goal might be to restore traffic to stolen devices.  With growing income disparity, theft of high-end electronics such as smartphones is on the rise in America; in 2013 1.4 million smartphones were stolen and not recovered [source].

smartphones thief
The illegally obtained customer data could be abused in attempts to unlock stolen smartphones. [Image Source: Android Headlines]

But it's possible that the contractors stole client data to allow customers who legally own their phones, but wish to protect their privacy, to unlock their devices.  AT&T's current rules (similar to other carriers) -- which came into place in 2012 -- allow you to take a device you legally own to another carrier, if you pay early termination fees (ETFs) (if your contract is not complete).  However, you must provide personal information (including a valid social security number) in order to complete that process.

While legal subscribers almost certainly have already given that information to AT&T, some might hesitate at handing it out a second time.  Using stolen credentials it would be possible for a device to masquerade as a legitimate subscriber's handset and step through the unlocking process without giving out personal information.

The breach was revealed this week via the letters to customers and the letter to Calif., which was written as Calif. state law (Calif. CC § 1798.80) mandate companies to disclose any data breach affecting more than 500 customers.  How many more customers were affected is currently unknown.

AT&T blue plastic
[Image Source: Reuters]

Much like Target Corp. (TGT) did with its recent breach, AT&T is offering affected customers a year of free credit monitoring services to protect them from illegal charges.  For now customers can be guardedly optimistic that the breach might have been done for more innocent reasons, unlike the Target breach which was clearly a financial theft operation against customers.
AT&T customers should be on the lookout for suspicious charges, though, until the extent of the breach is known.  AT&T is America's second largest carrier, with roughly 76 million subscribers, behind only Verizon Communications Inc.'s (VZ) Verizon Wireless network, which has more than 96 million subscribers.  AT&T also provides landline, cable internet (Uverse), and enterprise IT services.

Sources: AT&T, Office of the Attorney General for the State of Calif., Business Insider

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

SSNs again?
By AntiM on 6/16/2014 4:44:00 PM , Rating: 4
I can't imagine why a telecom would need to permanently keep a person's SSN. The only entities that I should be required to give my SSN to are the IRS and my employer. It should be against the law for anyone else to have my SSN. They were never meant to be used for identification purposes, and now we see why.

RE: SSNs again?
By tng on 6/16/2014 5:55:45 PM , Rating: 3
They were never meant to be used for identification purposes,
Well that is what the Feds told everybody back when they started requiring them, but see how that worked out.

RE: SSNs again?
By marvdmartian on 6/17/2014 7:44:53 AM , Rating: 2
Their claim is that they use the information to run a credit check (same as utility companies, cable companies, etc.). The problem is, there's no reason in the world, once that credit check has been completed, that they should be holding onto the customer's SSN.....and that's where I have the problem with them having it in the first place.

The biggest problem is that this number is tied so directly into your credit history, and that has made it a valuable piece of information. It's really only in the past 25-30 years that it has become like this, too. Heck, I remember, back in the early 80's, when the military would have people address mail to military members with that member's SSN written on the outside of the envelope!

RE: SSNs again?
By Ahnilated on 6/17/2014 8:59:02 AM , Rating: 1
You don't need to give it to your employer either. You are NOT required to have an SSN to work in America. Look at the Taco Bell (what it has come to be known as) case from the US Supreme court.

Hyperbole much?
By fic2 on 6/16/2014 7:01:58 PM , Rating: 3
With growing income disparity, theft of high-end electronics such as smartphones is on the rise in America;

Really? Because only rich people have smartphones?

Anecdotal, but it seems that most of the less well off people I know are also the ones with the newest iThing.
(And, I am still using a flip phone)

RE: Hyperbole much?
By mushkins on 6/18/2014 8:01:32 AM , Rating: 2
No? That statement in no way says that only rich people have smartphones.

What that statement *does* say, is that due to growing income disparity (aka more people impoverished), theft of high-end electronics such as smartphones is on the rise because they're expensive. An iPhone is $600 and everyone and their mother in a coffee shop leaves it on the table when they turn away. You don't need to be a master thief to snatch a piece of very small, very expensive electronics off a table and slide out the door before anyone notices.

Smartphones are worth a lot and are easy targets. And yes, poor people have them too, because they get them cheap with a two year contract. The thief doesn't care if you paid $100 or $600 for it, or if you have a contract or insurance on the device. He cares that he's going to grab your new iPhone 5s and resell it on craigslist for an easy $300 almost immediately.

"If a man really wants to make a million dollars, the best way would be to start his own religion." -- Scientology founder L. Ron. Hubbard

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki