Stories
Slash Boxes
Comments

News for nerds, stuff that matters

AT&T Breached, Exposes 19,000 Identities

Posted by ScuttleMonkey on Wed Aug 30, 2006 04:21 AM
from the somewhat-worse-than-a-laptop dept.
mytrip writes to tell us News.com is reporting that a recent attack on AT&T's systems saw thousands of customers' personal data compromised. About 19,000 customers of AT&T's online store who purchased equipment for a DSL connection were affected. From the article: "AT&T is offering to pay for credit monitoring services for customers whose accounts have been impacted because they could be at risk of identity fraud. The company also has made available a toll-free number to affected customers to call for more information."

Related Stories

[+] AT&T Crack Part of a Phishing Operation 96 comments
JohnGrahamCumming writes "According to a story in the San Francisco Chronicle the AT&T store crack was the prelude to a very sophisticated phishing operation. The phishers were aiming to use the information from the store to fool existing customers into divulging SSNs and other personal information." From the article: "'The information that was provided by customers who ordered DSL-related equipment included name, address, e-mail address, phone number, credit card number and credit card expiration,' the memo says, adding that the hacked data didn't include Social Security numbers or birth dates. But the hackers had a scheme to get this extra info. After accessing the customer data, they incorporated it into phishing messages that were promptly sent to AT&T's DSL customers ... Each message included a legitimate order number culled from the AT&T vendor's database to create an illusion of authenticity. Messages also included the recipient's home address and the last four digits of his or her credit card number. "
This discussion has been archived. No new comments can be posted.
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • by Bromskloss (750445) on Wednesday August 30 2006, @04:26AM (#16005911)
    ...for using AT&T.
  • O RLY? (Score:5, Insightful)

    by abscissa (136568) on Wednesday August 30 2006, @04:27AM (#16005915)
    They will pay for credit monitoring services, but will they pay for all the liability from a stolen ID? That can reach into the hundreds of thousands of dollars in real damage.
    • Heck, frankly... by skids (Score:3) Wednesday August 30 2006, @05:54AM
    • Re:O RLY? by bsartist (Score:1) Wednesday August 30 2006, @06:11AM
      • Re:O RLY? (Score:4, Insightful)

        by TIMxPx (859220) on Wednesday August 30 2006, @06:37AM (#16006251)
        Good point. I suppose that a person releasing 1 million copies of a CD should expect the same level of privacy as a person who submits encrypted credit card information. Oh wait, maybe not.
        [ Parent ]
        • Re:O RLY? by smooth wombat (Score:2) Wednesday August 30 2006, @07:12AM
          • Re:O RLY? by blugu64 (Score:1) Wednesday August 30 2006, @09:22AM
            • Re:O RLY? by Duhavid (Score:2) Wednesday August 30 2006, @01:41PM
          • 1 reply beneath your current threshold.
      • Re:O RLY? by Anonymous Coward (Score:2) Wednesday August 30 2006, @07:10AM
      • Re:O RLY? by dragonsomnolent (Score:1) Wednesday August 30 2006, @07:30AM
      • Re:O RLY? by Qzukk (Score:2) Wednesday August 30 2006, @07:33AM
      • No copyright by PetriBORG (Score:1) Wednesday August 30 2006, @07:45AM
      • Re:O RLY? (Score:5, Insightful)

        by jackbird (721605) on Wednesday August 30 2006, @07:58AM (#16006603)
        It wasn't stolen, it was "shared". Making a copy doesn't take anything away from the original owners, right? They still have their names, social security numbers, etc.

        That's true. And if the identity thieves stop there, simply filing their collection of stolen identities away and displaying a few choice specimens above the mantle for when guests come over, I don't have a problem with it (well a small one, but I can deal).

        When the identity thieves use those stolen identities to clean out bank accounts, take out fradulent loans, and steal real, physical goods using credit cards in the victim's name, then they do take something the owner no longer has. IHBT. HAND.

        [ Parent ]
      • Re:O RLY? by jZnat (Score:2) Wednesday August 30 2006, @09:40AM
      • Re:O RLY? by orasio (Score:2) Wednesday August 30 2006, @10:10AM
        • Re:O RLY? by jb.hl.com (Score:2) Wednesday August 30 2006, @10:49AM
          • Re:O RLY? by orasio (Score:2) Wednesday August 30 2006, @09:29PM
            • Re:O RLY? by jb.hl.com (Score:2) Thursday August 31 2006, @12:24AM
          • 1 reply beneath your current threshold.
      • Re:O RLY? by Evro (Score:2) Wednesday August 30 2006, @10:21AM
      • Who modded the troll up? by phorm (Score:3) Wednesday August 30 2006, @12:18PM
      • 3 replies beneath your current threshold.
    • Re:O RLY? by fyndor (Score:1) Wednesday August 30 2006, @11:53AM
    • Re:O RLY? by sgt_doom (Score:1) Wednesday August 30 2006, @01:30PM
  • Thats exactly why... (Score:4, Insightful)

    by Anonymous Coward on Wednesday August 30 2006, @04:27AM (#16005919)
    I choose to be an Anonymous Coward.
  • Only "thousands"? (Score:5, Interesting)

    by KiloByte (825081) on Wednesday August 30 2006, @04:29AM (#16005927)
    thousands of customer's
    Wait, so an one-time spill of the data of just mere thousands of customers (no "'") are suddenly news, and everyone forgets about ongoing constant spilling of the data of 299 millions? Interesting...
    • Re:Only "thousands"? (Score:4, Insightful)

      by azaroth42 (458293) on Wednesday August 30 2006, @05:03AM (#16006024)
      (http://www.csc.liv.ac.uk/~azaroth/)

      Will the CTO of AT&T resign like AOL's did over the search history release, which was significantly less damaging than this.

      I'm putting my money on No, personally.

      -- Azaroth
      [ Parent ]
      • Re:Only "thousands"? (Score:5, Insightful)

        by $RANDOMLUSER (804576) on Wednesday August 30 2006, @05:45AM (#16006134)
        To you and the GP:
        This was a break-in, not a "spill", which was detected by AT;&T, on the weekend at which time they took very active measures (shutting down the site and contacting credit card companies). Sounds to me like they have some pretty good procedures in place already; you know, the kind of thing a CTO is responsible for.
        [ Parent ]
        • Really? by phorm (Score:2) Wednesday August 30 2006, @12:22PM
        • 3 replies beneath your current threshold.
      • 1 reply beneath your current threshold.
    • Re:Only "thousands"? by balsy2001 (Score:2) Wednesday August 30 2006, @09:10AM
    • 1 reply beneath your current threshold.
  • In other news (Score:2, Insightful)

    by suv4x4 (956391) on Wednesday August 30 2006, @04:39AM (#16005954)
    In other news:

    "AT&T infects 19'000 of their customers with AIDS, after a 'breach' of their 'security' yesterday.
    AT&T is offering to pay for free condoms for all affected customers."
  • Oi! Hie Thee to Strunk and White! (Score:1, Insightful)

    by JumpingBull (551722) on Wednesday August 30 2006, @04:41AM (#16005959)

    Affected is preferred.
    Effected suggests being brought into being. A database security breach that effects 19000 new customers would not only bring the wrath of the accountants at the Security and Exchange Commission, but also suggests a militant AI broken loose in ATT!

    In response to the A/C that suggested we're; you can remember that a comma suggests a contraction of we are.

    God is an Iron; Engish was my most hated and worst subject. I leave a glass of Wry for my fellows, but I had to learn this grammer stuff in self-defence. Which I shall maintain in a Court of Law.
    Oh, Strunk and White, "the Elements of Style" is a fast way to invigorate your writings. Well worth getting.

  • by Nutria (679911) on Wednesday August 30 2006, @04:42AM (#16005961)
    Why did ATT keep confidential records on an exposed system in the 1st place, instead of immediately moving the critical data to a behind-the-firewall system?

    Or... did they do that, but the crackers were able to pierce the firewall?

  • Stop collecting SS# (Score:4, Insightful)

    by Anonymous Coward on Wednesday August 30 2006, @05:23AM (#16006076)
    These companies need to stop collecting this information in the first place. There is no need for AT&T to have this at all to do their business. Last I checked they aren't the Social Security department.
  • Good for them (Score:5, Insightful)

    by Rogerborg (306625) on Wednesday August 30 2006, @05:45AM (#16006133)
    (http://slashdot.org/)
    The news here isn't that some incompetent set up their systems, nor that they were cracked. The news is that they've responded openly and meaningfully, without trying to deny it or play down the scale of what happened. I wouldn't be hurrying to sign up to their service because of it, but it certainly doesn't bias me against them. Honesty and integrity are rare enough qualities in corporations that we should applaud them when they claw their way past the lawyers and PR weasels.
  • It looks like . . . (Score:4, Insightful)

    by Don_dumb (927108) on Wednesday August 30 2006, @05:49AM (#16006141)
    . . . AOL is off the hook.
  • Steal identity? (Score:5, Insightful)

    by homer_s (799572) on Wednesday August 30 2006, @05:52AM (#16006146)
    How can anyone steal someone else's identity? Oh, you mean they stole people's social security numbers. That should not be a problem, because as we all know, ss numbers are not meant to be used for identification.

    The real problem is companies and the govt using SS# for identification. At this point, about 50 ppl know my SS# - the librarian, the assistant at my school, the clerk in the bank, etc, etc. - so any of these people can harm if they don't like me for some reason? This is stupid.

    So what next? Some company decides they are going to use FIRSTNAME_LASTNAME as the id and we are all supposed to keep our names a secret? And run around complaining when our 'identity' (FIRSTNAME_LASTNAME) is stolen?

    In many countries, you need a notarised signature to obtain loans, etc. While not foolproof, you can always prove it was not you and it takes more effort to commit fraud.
  • by saboola (655522) on Wednesday August 30 2006, @06:11AM (#16006194)
    You should not be able to do so much damage with a simple number and some extra data. It is ridiculous that armed with merely this amount of information one could cause so much damage. The system needs to be completely reworked.
  • by applix7 (998238) on Wednesday August 30 2006, @06:58AM (#16006314)
    Their mobile phone division is especially vile, in my experience. http://home.comcast.net/~plutarch/malfy.html [comcast.net]
  • English, Part II (Score:1, Offtopic)

    by Ancient_Hacker (751168) on Wednesday August 30 2006, @07:00AM (#16006320)
    That should be "affected", not "effected". There's a difference.
    • 1 reply beneath your current threshold.
  • by ZeusAndHades (768527) on Wednesday August 30 2006, @07:07AM (#16006342)
    So someone hacks a server and 19,000 new customers are created as a result? HOLY CRAP! YOUR RETARDED!
  • NSA hard at work (Score:2)

    by MECC (8478) * on Wednesday August 30 2006, @07:18AM (#16006384)
    Maybe it was the NSA.

    • 1 reply beneath your current threshold.
  • With the stupid ads that the cable companies has been running lately, I'm wondering if they hired someone to do this.
  • by IamWhoIam (998642) on Wednesday August 30 2006, @08:29AM (#16006778)
    Is the fact that AT&T, who spends more on network security than the gross national income for a lot of countries was compromised, and confidential information was stolen. It doesn't matter how their multi layered defenses got breached, what does matter is they did get breached. The lesson here is IF they can be breached who can't??
  • Scope Creeps (Score:3, Insightful)

    by Doc Ruby (173196) on Wednesday August 30 2006, @08:37AM (#16006831)
    (http://slashdot.org/~Doc%20Ruby/journal | Last Journal: Thursday March 31 2005, @01:48PM)
    Corporations should not be allowed to store personal info longer than the duration of the transaction, or transmit it outside the scope of the transaction. AT&T should be prosecuted for liability, including lifetime exposure to ID fraud. AT&T security and policy managers and directors should hold personal liability, piercing the corporate liability veil.

    Then we'd see American corporations rush to rewire their databases to protect customers, instead of protecting their advantages in charging and marketing to us, and the risk that their few bucks benefit will destroy our lives.
  • I got hit by this one (Score:1, Interesting)

    by Anonymous Coward on Wednesday August 30 2006, @08:40AM (#16006860)
    I'm one of the folks whose information was stolen. I discovered this not by AT&T informing me, but by the phishing attempt I received via email. The email claimed they couldn't access my bank account to pay for my order, and directed me to what appeared to be the ordering site. Since they had the actual order number, I didn't think anything was amiss (other than another company screw up asking me to pay for an order I'd already paid for), and clicked the link.

    I was surprised to be prompted to enter my birthdate and SSN. Which, of course, I did not do. It was also suspicious that all the images were not loading. That's when I noticed the link I'd clicked was not sbcdslstore.com, but sbcdslstore.org. They'd set up a phishing site, linking back to the images on the real sbcdslstore site. (SBC became AT&T, and the company was still using the old site I'd imagine.) At least by shutting down their site, AT&T made the phishing attempt much more obvious.

    The ironic thing for me is that I'm not even an AT&T customer. A friend of mine who does use their DSL service moved recently, and lost the AC/DC adapter for their DSL model somehow in the move. Since they didn't have internet, I was nice and ordered a replacement adapter for them. Another good deed punished. Oh well, I was thinking of changing banks anyway.

    I think you'll understand why I'm posting anonymous.
  • After the customers got affected then only they offer the monitoring service. So shocking they should add the feature long time ago..
  • by cyberbian (897119) on Wednesday August 30 2006, @10:10AM (#16007572)
    (Last Journal: Monday September 11 2006, @07:26AM)
    there's fire.

    This is small time compared to the egregious breach of privacy experienced by nearly everyone with AT&T's complicity with the NSA's illegal splitting operations in San Francisco and elsewhere. AT&T is at it again time for more anti-trust remedies.

  • Why go to all the trouble break in? (Score:3, Insightful)

    by kasparov (105041) * on Wednesday August 30 2006, @10:48AM (#16007916)
    Hell, they probably could have just *asked* for the information and AT&T would have handed it over...
  • Looks like I was on that list (Score:5, Interesting)

    by killermookie (708026) <matt.killermookie@org> on Wednesday August 30 2006, @02:40PM (#16009960)
    (http://killermookie.org/)
    This email contains important information that requires your immediate
    attention. Please do not reply to this e-mail; instead please use the
    telephone number provided below if you wish to contact us.

    You previously placed an order with AT&T for DSL-related equipment
    through the http://www.sbcdslstore.com/ [sbcdslstore.com] Website, at which time you
    provided certain information including your name, address, e-mail
    address, phone number, credit card number and credit card expiration.
    (This information did not include your Social Security Number, Driver's
    License Number, date of birth, or other identifying information.) AT&T
    has learned that a computer containing the information you provided has
    been accessed by an unauthorized person, who may have obtained this
    information about you.

    In addition, AT&T also believes that some customers who purchased
    DSL-related equipment from us through this same website may be receiving
    e-mails that appear to be from AT&T, but actually are being generated by
    an unauthorized third-party (a practice known as "phishing"). These
    e-mails refer to your prior order with AT&T and request that you
    provide additional personal information such as your Social Security
    Number, date of birth, or another credit card number and expiration date.
    Please be advised that these e-mails are not being sent by AT&T and are not
    legitimate. Do not respond to these e-mails or otherwise provide any of your
    personal information in response or at any Website to which the e-mail may
    refer you.
    We sincerely regret that a third party was able to gain improper access
    to your order information and we are working diligently with law enforcement
    and major credit card companies to limit your potential exposure. Although
    your 3-digit credit card verification number (from the back of your card)
    was not stored, and therefore not accessed, we strongly suggest that you
    contact your credit card company directly to report this suspected incident
    and to protect the credit card you used to purchase this equipment from any
    unauthorized activity.

    In addition, we suggest that you contact the fraud departments of any one of
    the three major credit-reporting agencies and let them know you may be a
    potential victim of identity theft. That agency will notify the other two.
    Through that process, a "fraud alert" will automatically be placed in each
    of your three credit reports to notify creditors not to issue new credit in
    your name without gaining your permission. For your convenience, we have
    included contact information for all three credit reporting agencies:

    Equifax
    P.O. Box 740241
    Atlanta GA 30374
    To report fraud: 1-888-766-0008
    Website: http://www.equifax.com/ [equifax.com]

    Experian
    P.O. Box 2002
    Allen, TX 75013
    To Report Fraud: 1-888-397-3742
    Website: http://www.experian.com/ [experian.com]

    TransUnion
    Post Office Box 6790
    Fullerton, CA 92834
    To Report Fraud: 1-800-680-7289
    Website: http://www.transunion.com/ [transunion.com]

    Lastly, to provide further security, AT&T is arranging to provide you the
    option of enrolling for one year, at no cost to you, in a credit monitoring
    service specifically designed to notify you of changes to your credit report
    activity in order to detect fraudulent bank or credit card use. The service
    will be provided by one of the major credit reporting agencies. We will
    provide specific information on this option as part of a letter you will
    receive via U.S. Mail in the next few days.

    Again, we regret this unauthorized and unlawful access to your order
    information and are working with law enforcement to pursue those who
    are responsible. We are also reviewing applicable security procedures
    in an effort to prevent an incident like this from recurring. Should yo
  • Future transcript (Score:2)

    by Eil (82413) on Wednesday August 30 2006, @03:19PM (#16010271)
    (http://bityard.net/ | Last Journal: Thursday August 08 2002, @04:18PM)
    AT&T Call Center Operator: Sir, may I ask you why you're choosing to cancel your service with us today?

    Me: Well, let's see, first there was that whole Internet tapping thing.

    AT&T: I'm not sure which Internet tapping situation you're referring to...

    Me: GOOD GOD, THERE'S MORE THAN ONE?! Hold on, let me pull up my blog!

    AT&T: No, sir, I meant I'm not personally aware of any Internet tapping. I assure you that AT&T values your privacy...

    Me: And then you cooperated with the NSA in their illegal domestic spying project.

    AT&T: While I can't offer any comments on that, I'd just like to state that your privacy is our first concern...

    Me: Then you wouldn't mind explaning how just last weekend, you let slip the personal information of over 19,000 customers?

    AT&T: Sir, I assure that incidents like this are very...

    Me: STRIKE THREE, YOU'RE OUT! *click*

  • by kjart (941720) on Wednesday August 30 2006, @04:40AM (#16005956)

    Were you potentially a victim of this crime? You seem to be taking it fairly personally - as evidenced by your rater exagerated counterpoints. I for one am willing to give AT&T credit for at least offering to help in some way - most of the times I've read about this happening the company involved didn't offer to pay for anything.

    [ Parent ]
  • Re:not my fault... (Score:5, Funny)

    by legoburner (702695) on Wednesday August 30 2006, @04:45AM (#16005970)
    (http://www.comparecomponents.com/ | Last Journal: Friday September 15 2006, @02:04PM)
    no wonder i have shitty credit... ppl keep stealing my identity... how do i start a new credit report?

    Steal someone's identity.
    [ Parent ]
    • 1 reply beneath your current threshold.
  • I'm not saying AT&T is "the best of us," but your proposed remedies are fucking childish. Do you also support capital punishment for late pizza delivery?
    [ Parent ]
  • by Pointdexter (89416) * on Wednesday August 30 2006, @04:59AM (#16006011)
    (http://simonstarr.com/)
    Yeah, it's not like the editors couldn't of fixed that.
    [ Parent ]
  • Re:"...customers were effected" (Score:3, Informative)

    by asylumx (881307) on Wednesday August 30 2006, @05:14AM (#16006049)
    While we're at it.... "thousands of customer's personal..." should be "thousands of customers' personal..." in the write-up. Why do we call the folks that run Slashdot "Editors" anyway?
    [ Parent ]
    • 1 reply beneath your current threshold.
  • Re:movd up (Score:2)

    Any Slashdot post that begins with "bloodfarts" is worth reading. Wish I had mod points.
    [ Parent ]
  • by Tran (721196) on Wednesday August 30 2006, @08:17AM (#16006705)
    The credit card information for purchases is not supposed to be stored according to what I have been told. That is why I never ever let companies have access to my bank account or credit cards for recurring charges. I pay recurring charges electroncically from the bank. I think that letting companies take money automatically from one's own account is rather risky since the companies would need to store that info. These breaches certainly don't allay that fear. It is true, the bank's security could be breached as well, but at least there is only one place from where information can be taken rather than 10's of places.
    [ Parent ]
    • 1 reply beneath your current threshold.
  • Re:kids these days (Score:1)

    by Athenais (922233) on Wednesday August 30 2006, @01:39PM (#16009412)
    (http://wealthandpower.org/)
    "screw", transitive verb: to defeat with trickery or deception, to place in a situation impossible to escape
    [ Parent ]
  • 17 replies beneath your current threshold.