AT&T Suffers Another Massive Data Breach due to a Inside Job

AT&T inside job leads to compromise of customer data

The American telecom giant has reported that data of unknown number of its customers may have been compromised.  In a statement issued to its customers and Vermont authorities today, AT&T said that this breach was a result of malicious insider and may have resulted in the compromise of account and personal information of a yet unknown number of customers.

Inside job again!

In a letter written to affected customers and the Office of the Vermont Attorney General, AT&T has explained that the breach happened due to a inside job.  It seems that one of AT&T’s employee violated their policy and security guidelines by accessing users’ account information, including the users’ social security number and driver’s license number.

As per the notification, the employee accessed a master customer data base file called Customer Proprietary Network Information (CPNI) without proper authorization.  This CPNI happens to be the master data card of a customer on AT&T network and contains all valid and valuable information about the customer.  It is generated by AT&T once you buy any type of service from AT&T and the insider who carried out the breach apparently knew this.

“Additionally, while accessing your account, the employee would also have been able to view your Customer Proprietary Network Information (CPNI) without proper authorization,” the letter says. “CPNI is information related to the telecommunications services you purchase from us.”

How many AT&T customers are affected?

As per the letter, the breach happened somewhere in August 2014, and and the rogue employee has exfiltrated data from unknown number of accounts.  As per AT&T investigative team it is believed that the rogue employee may have misused some of the stolen information in the meantime.  However AT&T is not sure what information or how the information was misused. AT&T in its letter states that the rogue employee has been identified and since been terminated from service.  “To the extent this activity results in any unauthorized charges or changes to your account, they have been or will be reversed,” it says in the letter.  It further states that, “On behalf of AT&T, please accept my sincere apology for this incident. Simply stated, this is not the way we conduct business, and as a result, this individual no longer works for AT&T”  But it fails to state how many accounts were breached by the said employee.

AT&T has said that it would be taking following steps to mitigate the effects of the stolen data.

As is the latest industry norm in respect of data breach, AT&T is offering free credit monitoring services to affected users.  It has also advised them to contact their credit card providers and place a fraud alert on their credit report.

If you are a AT&T customer, you are required to change your passcode for the account immediately.  If you haven’t set up a passcode you are required to set it up ASAP.

Breach in June 2014

That said, AT&T, it seems has a very poor employee and vendor vigilance mechanism in place.  Only in the month of June 2014, three of its vendor employees accessed customer account and were able to impersonate them to get unlock codes from AT&T.  However only redemption was the fact that the customers data was not financially misused in that breach.

This breach is likely to have come to the notice of AT&T recently though it occurred in August 2014.  As per the latest updated Vermont data breach notification law,  any company which is subject to a data breach has to give a notification to the Vermont Attorney General within 14 business days of either the discovery of the breach or notice to the consumers, whichever is sooner.

AT&T has to get its employee and vendor verification mechanism in place and enforce it strictly to avoid such breaches in future.