AT&T Breached, Exposes 19,000 Identities

mytrip writes to tell us News.com is reporting that a recent attack on AT&T's systems saw thousands of customers' personal data compromised. About 19,000 customers of AT&T's online store who purchased equipment for a DSL connection were affected. From the article: "AT&T is offering to pay for credit monitoring services for customers whose accounts have been impacted because they could be at risk of identity fraud. The company also has made available a toll-free number to affected customers to call for more information."

Perhaps an appropriate punishment

[Bromskloss (750445)]

...for using AT&T.

Re:

[Em Adespoton (792954)]

That would be fine if AT&T were the only company having these problems.
Has ANYONE set up a clearinghouse for these security breaches so I can keep an eye on where (not if) my private information is leaking?

Re:

[byolinux (535260)]

Heh, seems the duped story was removed :)

O RLY?

[abscissa (136568)]

They will pay for credit monitoring services, but will they pay for all the liability from a stolen ID? That can reach into the hundreds of thousands of dollars in real damage.

Heck, frankly...

[skids (119237)]

I wouldn't even be so sure of that. Nowadays whenever I see any corporation saying they take responsibility for something, I immediately suspect another yesmen [theyesmen.org] prank.

Now that may not be very likely, but if I were the yesmen, I'd be perched and waiting for another ID theft scandal, because nothing would be more meta than stealing the ID of a PR person handling an ID theft incident.

Re:O RLY?

[TIMxPx (859220)]

Good point. I suppose that a person releasing 1 million copies of a CD should expect the same level of privacy as a person who submits encrypted credit card information. Oh wait, maybe not.

Re:

[smooth wombat (796938)]

Sort of like when a CD is encrypted so it can't be copied and someone breaks that encryption then releases a million copies of the song. Pretty much apples and oranges.

Oh wait, maybe not.

Re:

[Duhavid (677874)]

Actually, they are encrypted. Play them backwards to get the "plaintext".

Pretty subtle, eh?

Re:

[by Anonymous Coward]

> It wasn't stolen, it was "shared". Making a copy doesn't take anything away from the original owners, right? They still have their names, social security numbers, etc.

It wasn't shared (that implies willingness). If anything, it was "exposed", because it was suposed to be secret or confidential information, something a Britney Spears CD is not (but I would not arge with you if it should).

Re:

[Qzukk (229616)]

the same principle applies just as much to your information as it does to a CD. Either "sharing" is OK, or it's not

Wake me up when downloading a track from emule gets thousands of dollars in creditcard debt taken out in the artist's name by kids on IRC, illegal immigrants getting forged licenses with the label president's drivers license number or getting a job using their SSN, or terrorists buying an internet connection in their name and using it to plan their next bombing run.

Until then, your attempt to c

Re:O RLY?

[jackbird (721605)]

It wasn't stolen, it was "shared". Making a copy doesn't take anything away from the original owners, right? They still have their names, social security numbers, etc.

That's true. And if the identity thieves stop there, simply filing their collection of stolen identities away and displaying a few choice specimens above the mantle for when guests come over, I don't have a problem with it (well a small one, but I can deal).

When the identity thieves use those stolen identities to clean out bank accounts, take out fradulent loans, and steal real, physical goods using credit cards in the victim's name, then they do take something the owner no longer has. IHBT. HAND.

Re:

[jZnat (793348)]

I think a better comparison would be somebody leaking a high-quality pre-release of a movie.

Re:

[orasio (188021)]

You are wrong.
Copyright is about restricting the freedom of the user of the stuff.

The distributor performs the service of giving you the information, and you pay for it. End of story, no agreement, no contract.
Then, there is a law that says that your freedom to distribute the information you paid to access is restricted. You have to wait a lot of time, virtually forever, and then you can share it anyway you like.

About private information, you enter an agreement with someone to share it with them, and they h

Re:

[jb.hl.com (782137)]

Copyright is about restricting the freedom of the user of the stuff.

No, it's more about protecting the freedom and interests of whoever made a work of art, which is its intention.

Re:

[Evro (18923)]

I imagine if someone was copying the information simply to have it, it wouldn't be a big deal. But the fact is that they're copying it for the purposes of identity theft, which translates to real dollars-and-cents costs for the victims. Copying a CD is not the same thing as copying someone's credit card number, which implies using that number to purchase goods with the stolen information. Your argument is cute but specious.

Who modded the troll up?

[phorm (591458)]

Seriously, that is disgusting. The article is completely unrelated to filesharing, and focusses on poor security. It also overlooks that the "information wants to be free" zealot crowd aren't necessarily the same as those in the information-security crowd. Either crowd also tends to be happy when somebody is nailed for trying to sell copied articles.

Copyright won't protect your personal information in any way. So perhaps you should go troll an RIAA article now. Perhaps if there's an article about how a fi

Re:

[bsartist (550317)]

It also overlooks that the "information wants to be free" zealot crowd aren't necessarily the same

What crowd? The "copying a CD is not a crime" quote was exactly that - a direct copy-and-paste quote from an earlier post made by the person I replied to. I wasn't referring to any mythical "crowd", I was referring to two contradictory (IMHO) statements that were made by the same person.

You might also want to look up the definition of the term "troll" - it doesn't mean what you think it means. It isn't anyo

Re:

[bsartist (550317)]

The only thing on a SS-card or a credit card might be the artwork, everything else has no copyright.

I used the term "principle" for a reason. The principle I'm referring to is control. The legal technicalities are different - which is why I specifically did not refer to them. But the principle is the same: the right of a person to control and/or limit the distribution of specific bits of information. To demand that right for one's self while at the same time trying to deny it to others is hypocrisy, plain

Thats exactly why...

[by Anonymous Coward]

I choose to be an Anonymous Coward.

Only "thousands"?

[KiloByte (825081)]

thousands of customer's

Wait, so an one-time spill of the data of just mere thousands of customers (no "'") are suddenly news, and everyone forgets about ongoing constant spilling of the data of 299 millions? Interesting...

Re:Only "thousands"?

[azaroth42 (458293)]

Will the CTO of AT&T resign like AOL's did over the search history release, which was significantly less damaging than this.

I'm putting my money on No, personally.

-- Azaroth

Re:Only "thousands"?

[$RANDOMLUSER (804576)]

To you and the GP:
This was a break-in, not a "spill", which was detected by AT;&T, on the weekend at which time they took very active measures (shutting down the site and contacting credit card companies). Sounds to me like they have some pretty good procedures in place already; you know, the kind of thing a CTO is responsible for.

Really?

[phorm (591458)]

Sorry, but these companies need online presence to offer the services they do. This implies a measured security risk, at which point your points of failure include:

Employees (or ex employees)
The software (and/or software creator)
The operating system (and/or OS creator)

and millions of points in-between. People want the convenience of credit cards and online access, unfortunately there is no foolproof security for this. For ever better vault, a better thief will emerge.

Re:

[balsy2001 (941953)]

I am in the military and have had my personal information lost/stolen 3 times in the last 18 months. 1) By bank of american "shipping" backup tapes of my account history and other gov crad holders in the back of somones car, 2) Veterans Affairs laptop, 3) Someone hacking into the DOE. This kind of thing happens all of the time and there aren't any real consequences for anyone in either the public or private sectore. As you all may remember the VA loss affected 26 MILLION people.

In other news

[suv4x4 (956391)]

In other news:

"AT&T infects 19'000 of their customers with AIDS, after a 'breach' of their 'security' yesterday.
AT&T is offering to pay for free condoms for all affected customers."

Why did ATT allow the possibility?

[Nutria (679911)]

Why did ATT keep confidential records on an exposed system in the 1st place, instead of immediately moving the critical data to a behind-the-firewall system?

Or... did they do that, but the crackers were able to pierce the firewall?

Stop collecting SS#

[by Anonymous Coward]

These companies need to stop collecting this information in the first place. There is no need for AT&T to have this at all to do their business. Last I checked they aren't the Social Security department.

Good for them

[Rogerborg (306625)]

The news here isn't that some incompetent set up their systems, nor that they were cracked. The news is that they've responded openly and meaningfully, without trying to deny it or play down the scale of what happened. I wouldn't be hurrying to sign up to their service because of it, but it certainly doesn't bias me against them. Honesty and integrity are rare enough qualities in corporations that we should applaud them when they claw their way past the lawyers and PR weasels.

It looks like . . .

[Don_dumb (927108)]

. . . AOL is off the hook.

Steal identity?

[homer_s (799572)]

How can anyone steal someone else's identity? Oh, you mean they stole people's social security numbers. That should not be a problem, because as we all know, ss numbers are not meant to be used for identification.

The real problem is companies and the govt using SS# for identification. At this point, about 50 ppl know my SS# - the librarian, the assistant at my school, the clerk in the bank, etc, etc. - so any of these people can harm if they don't like me for some reason? This is stupid.

So what next? Some company decides they are going to use FIRSTNAME_LASTNAME as the id and we are all supposed to keep our names a secret? And run around complaining when our 'identity' (FIRSTNAME_LASTNAME) is stolen?

In many countries, you need a notarised signature to obtain loans, etc. While not foolproof, you can always prove it was not you and it takes more effort to commit fraud.

Re:

[pcgamez (40751)]

The problem is not that 50 people know your SSN. The issue is that companies still act as if it is a secret identifying number. To a company, if you know a name, address, and SSN, you must be that person. It is simply assumed.

Re:

[russ1337 (938915)]

That is why, when they ask for my SSN, i say "I don't have one"... They say "huh? *dumbest look on their face*" and I tell them "I was born overseas and do not have one... and you shouln't need it anyway....."... It usually works. I've nearly always had to pay a higher deposit ('cos they cant check my credit), but its a small price to pay to not give my SSN to the library / power company / phone company / old navy / lunchlady...

Re:

[SCHecklerX (229973)]

Just make up a fake one for these purposes. Unless they are paying you, taxing you, or checking on your finances, they don't have any need for it. Certainly not as a customer ID.

Re:

[Eivind (15695)]

I agree. In Norway we also have a "personal-id-number" which works sort of like a SSN in the states. The main difference being that this is explicitly *not* secret. And *no-one* will assume that you are a certain person just because you happen to know the id-number of that person.

An id-number works perfectly well for *identifying* a certain person. (the bank, the tax-man, the car-registration-people, the unemployment-office and many more will all recognize that a certain number corresponds to a certain pe

This goes back to the original problem..

[saboola (655522)]

You should not be able to do so much damage with a simple number and some extra data. It is ridiculous that armed with merely this amount of information one could cause so much damage. The system needs to be completely reworked.

Re:

[meatspray (59961)]

They need to stop using ssn for primary identification. Take an md5 of the ssn and use it for verification perhaps but using it for id is just silly.

No no no NO NO no... and N-O!

[scovetta (632629)]

No!!!

1. MD5 is weak/broken. No MD5. Erase it from your vocabulary. Replace it with SHA-256 or better.
2. How many SSNs are there? At max, 1 billion (assuming they go 000-00-0000 to 999-99-9999). A reverse lookup directory of 1 billion 256-bit hashes would take around 36 gigabytes of disk space (if my math is correct).
3. If you add salt to it, then the salt becomes a secret key to the routine. Lose that key, and someone can re-create the lookup in a matter of hours (minutes?).

Really, you want to just create a

NSA hard at work

[MECC (8478)]

Maybe it was the NSA.

Cable companies?

[SCHecklerX (229973)]

With the stupid ads that the cable companies has been running lately, I'm wondering if they hired someone to do this.

Scope Creeps

[Doc Ruby (173196)]

Corporations should not be allowed to store personal info longer than the duration of the transaction, or transmit it outside the scope of the transaction. AT&T should be prosecuted for liability, including lifetime exposure to ID fraud. AT&T security and policy managers and directors should hold personal liability, piercing the corporate liability veil.

Then we'd see American corporations rush to rewire their databases to protect customers, instead of protecting their advantages in charging and marketing to us, and the risk that their few bucks benefit will destroy our lives.

Why go to all the trouble break in?

[kasparov (105041)]

Hell, they probably could have just *asked* for the information and AT&T would have handed it over...

Looks like I was on that list

[killermookie (708026)]

This email contains important information that requires your immediate
attention. Please do not reply to this e-mail; instead please use the
telephone number provided below if you wish to contact us.

You previously placed an order with AT&T for DSL-related equipment
through the http://www.sbcdslstore.com/ [sbcdslstore.com] Website, at which time you
provided certain information including your name, address, e-mail
address, phone number, credit card number and credit card expiration.
(This information did not include your Social Security Number, Driver's
License Number, date of birth, or other identifying information.) AT&T
has learned that a computer containing the information you provided has
been accessed by an unauthorized person, who may have obtained this
information about you.

In addition, AT&T also believes that some customers who purchased
DSL-related equipment from us through this same website may be receiving
e-mails that appear to be from AT&T, but actually are being generated by
an unauthorized third-party (a practice known as "phishing"). These
e-mails refer to your prior order with AT&T and request that you
provide additional personal information such as your Social Security
Number, date of birth, or another credit card number and expiration date.
Please be advised that these e-mails are not being sent by AT&T and are not
legitimate. Do not respond to these e-mails or otherwise provide any of your
personal information in response or at any Website to which the e-mail may
refer you.
We sincerely regret that a third party was able to gain improper access
to your order information and we are working diligently with law enforcement
and major credit card companies to limit your potential exposure. Although
your 3-digit credit card verification number (from the back of your card)
was not stored, and therefore not accessed, we strongly suggest that you
contact your credit card company directly to report this suspected incident
and to protect the credit card you used to purchase this equipment from any
unauthorized activity.

In addition, we suggest that you contact the fraud departments of any one of
the three major credit-reporting agencies and let them know you may be a
potential victim of identity theft. That agency will notify the other two.
Through that process, a "fraud alert" will automatically be placed in each
of your three credit reports to notify creditors not to issue new credit in
your name without gaining your permission. For your convenience, we have
included contact information for all three credit reporting agencies:

Equifax
P.O. Box 740241
Atlanta GA 30374
To report fraud: 1-888-766-0008
Website: http://www.equifax.com/ [equifax.com]

Experian
P.O. Box 2002
Allen, TX 75013
To Report Fraud: 1-888-397-3742
Website: http://www.experian.com/ [experian.com]

TransUnion
Post Office Box 6790
Fullerton, CA 92834
To Report Fraud: 1-800-680-7289
Website: http://www.transunion.com/ [transunion.com]

Lastly, to provide further security, AT&T is arranging to provide you the
option of enrolling for one year, at no cost to you, in a credit monitoring
service specifically designed to notify you of changes to your credit report
activity in order to detect fraudulent bank or credit card use. The service
will be provided by one of the major credit reporting agencies. We will
provide specific information on this option as part of a letter you will
receive via U.S. Mail in the next few days.

Again, we regret this unauthorized and unlawful access to your order
information and are working with law enforcement to pursue those who
are responsible. We are also reviewing applicable security procedures
in an effort to prevent an incident like this from recurring. Should yo

Re:Will AT&T pay for....

[kjart (941720)]

Were you potentially a victim of this crime? You seem to be taking it fairly personally - as evidenced by your rater exagerated counterpoints. I for one am willing to give AT&T credit for at least offering to help in some way - most of the times I've read about this happening the company involved didn't offer to pay for anything.

Look, shit happens to the best of us.

[Pink Tinkletini (978889)]

I'm not saying AT&T is "the best of us," but your proposed remedies are fucking childish. Do you also support capital punishment for late pizza delivery?

Re:

[DesireCampbell (923687)]

If AT&T is the pizza guy, they didn't show up late; they showed up with shitty pizza, charged me way too much for it, has been regularly giving my delivery records (including my name, number, address, pizza info, time of delivery, etc.) to the NSA, and have such slip-shod security that information gets leaked putting me (and 19,000 other pizza loving customers) at risk for identity fraud.

Late pizza is the least of my worries.

Re:not my fault...

[legoburner (702695)]

no wonder i have shitty credit... ppl keep stealing my identity... how do i start a new credit report?

Steal someone's identity.

Re:

[Pointdexter (89416)]

Yeah, it's not like the editors couldn't of fixed that.

Re:

[asylumx (881307)]

While we're at it.... "thousands of customer's personal..." should be "thousands of customers' personal..." in the write-up. Why do we call the folks that run Slashdot "Editors" anyway?

Re:

[Pink Tinkletini (978889)]

Any Slashdot post that begins with "bloodfarts" is worth reading. Wish I had mod points.

Re:

[King_TJ (85913)]

Huh? The responsibility for that illegal operation should rest squarely on the shoulders of the current presidential administration. You can't reasonably expect any company in AT&T's position not to comply with something like that - no matter how evil the request is.

Ultimately, they're put betweewn "a rock and a hard place" because they have no immediate legal recourse for a demand placed on them from the highest level of government. They're already govt. regulated as it is - and failure to comply wi