AT&T is warning mobile customers of a data breach that leaked birth dates and Social Security numbers.
Employees of one of the telco’s contractors, since terminated, were responsible for the breach, AT&T said in a letter to the California Attorney General. They were apparently looking to generate codes that unlock devices.
“AT&T’s commitment to customer privacy and data security are top priorities, and we take those commitments very seriously,” the company said in the letter. “We recently determined that employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization between April 9 and April 21, 2014, and, while doing so, would have been able to view your social security number and possibly your date of birth.”
It added, “AT&T believes the employees accessed your account as part of an effort to request codes from AT&T that are used to unlock AT&T mobile phones in the secondary mobile phone market so that those devices can then be activated with other telecommunications providers.”
No financial data was breached, apparently, and he telco didn't say how many customers are affected. But the incident points out a big security oversight on the part of the carrier, experts said. Privileged partners are in a gray-area between insiders and outsiders. Security enforcement, network access, IAM entitlements and auditing must account for these shades of gray.
“Security will always break at the weakest link. Once again we see companies failing to understand the risks that come along with third-party access and facing a crisis that may have been prevented by proactively seeking out or understanding potential attack paths,” said Alberto Solino, technical program manager at Core Security, in an email. “You can’t make assumptions when it comes to security. You have to find these attack paths and validate them before someone else does or your business and most critical assets will always be at risk."
Given the complexity of modern enterprise networks and the prevalence of third parties who have access, companies should run a complete analysis of the network and an automated comparison of the running network to the intended network security architecture.
“While their statement makes it clear that the vendor did not follow protocol, it also underscores the need for multilayered defenses, including defense against vendors and partners that use entry methods other than standard Internet access,” said Steve Hultquist, CIO and vice president of customer success at RedSeal Networks, in a comment. “Vendors and partners often use extranet connections to share information. Given the focus on Internet attacks, these more subtle access points can seem less important. Without automation providing a complete picture of the potential attack paths from end-to-end, an enterprise is open to attack from sources they have not even considered as a threat.”
AT&T said that it is offering affected customers a year of free credit monitoring and is recommending that people change the passcodes on their accounts as a precaution.