We’ve commented before that companies are reluctant to disclose data breaches because it makes them look bad and can scare away customers. AT&T is no exception: it discovered the breach on May 19, 2014, and didn’t notify affected customers until nearly a month later, on June 13.
In a letter to affected customers AT&T said
Employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization. AT&T believes the employees accessed your account as part of an effort to request codes from AT&T that are used to ‘unlock’ AT&T mobile phones in the secondary mobile phone market.
Of course, it doesn’t matter that the thieves were looking for a way to unlock phones. No doubt it occurred to them that they could also sell the social security numbers on the black market for identity theft purposes, which can create major headaches for the victims.
AT&T said in a statement
We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization. This is completely counter to the way we require our vendors to conduct business.
We’ve written before about how employees are often the weak link in corporate data security because of human nature and sloppy data security behavior. In this case the problem wasn’t sloppiness – it was an insider who was a thief.
What happened to AT&T highlights the “trusted insider” problem. AT&T did not reveal additional details about how the employees accessed the data or how they were caught, but we can make a few educated guesses.
Employees who want to steal this kind of data are usually not so foolish as to log in with their own user name and passwords. Many companies have tracking software that makes it easy to find any unusual activity. Instead, the trusted insider typically uses someone else’s credentials. The trusted insider has a badge and can access the facility; he/she can work late, and after everyone else has gone home, can rummage for passwords or find a terminal where someone forgot to log out. Trusted insiders often leave a trail pointing to someone else.
PACid has technology that can greatly hamper data thefts by insiders.
As described in our write-up on our “Five Levels of Data Security,” with a Level 3 configuration or better one physically needs the secure device (smartphone) to log in. It’s not enough to steal someone’s password. We even have a solution to the problem of an employee who forgot to log out: using the “geofence” capabilities built-in to smartphones, the system could be configured to automatically log out when the employee left the premises. And no one simply forgets both their phone and their password at work – research shows that the average person notices his or her phone is missing within six minutes.
Current approaches to data security are Band-Aids when the patient is on life support. PACid’s technology represents a completely new paradigm for security in the digital age.