Major US telecoms firm AT&T has been forced to tell some of its customers that an employee broke its privacy and security guidelines by accessing their sensitive data.
The firm claimed in a letter sent to affected customers and posted on the website of the Attorney General of Vermont, that the individual may have lifted their social security and driver’s license numbers.
The letter, from director of finance billing operations, Michael Chiarmonte, added:
“Additionally while accessing your account, the employee would have been able to view your Customer Proprietary Network Information (CPNI) without proper authorization. CPNI is information related to the telecommunications services you purchased from us. On behalf of AT&T, please accept my sincere apology for this incident. Simply stated, this is not the way we conduct business, and as a result, this individual no longer works for AT&T.”
CPNI isn’t particularly important as it only relates to details about the service a customer is receiving and not personal information, but social security numbers in particular could be a valuable asset for identity fraudsters.
Around 1,600 customers were affected, someone familiar with the matter told Reuters.
This isn’t the first time an insider has caused problems at AT&T. In June, the firm admitted that employees at one of its contractors had accessed accounts without authorization, exposing dates of birth and social security numbers.
Jason Judge, CEO at SpectorSoft, argued that when it comes to corporate employees, “more access means more opportunity to cause greater damage.”
“Privileged users, while essential in corporate environments to expedite workflows, can and should be trusted by the organization, but there must be parameters that he or she operates within,” he added.
“Enterprises need to leverage technology to keep tabs on employee activities because when dealing with a potential insider, malicious activities are most often hidden by their job description.”
Chris Sullivan, vice president of advanced solutions at Courion, praised AT&T for spotting the incident, which occurred in August, relatively quickly.
“But it is striking that even a technology giant like AT&T can be vulnerable to an attack that exploits access rights governance,” he added.
“Better housekeeping of access privileges especially when staff come and go should be integral to any organisations data protection precautions.”