Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

AT&T Says Customer Data Accessed To Unlock Smartphones

Soulskill posted about 2 months ago | from the another-day-another-breach dept.

AT&T 65

itwbennett writes: Personal information, including Social Security numbers and call records, was accessed for an unknown number of AT&T Mobility customers by people outside of the company, AT&T has confirmed. The breach took place between April 9-21, but was only disclosed this week in a filing with California regulators. While AT&T wouldn't say how many customers were affected, state law requires such disclosures if an incident affects at least 500 customers in California.

cancel ×

65 comments

Sorry! There are no comments related to the filter you selected.

Not doing it right (4, Insightful)

sinij (911942) | about 2 months ago | (#47229283)

Why would anyone give SSN to AT&T? Do they also process your taxes? If not, they have no place asking or retaining this information.

Re:Not doing it right (2)

wbr1 (2538558) | about 2 months ago | (#47229299)

Even though it is not recommended, many, many organizations use the SSN as a unique identifier. See http://consumersunion.org/news... [consumersunion.org]

Re:Not doing it right (0)

Archangel Michael (180766) | about 2 months ago | (#47230243)

Here's a novel Idea. Lets us the SSN as a unique identifier AFTER you have verified that that person is actually who they say they are. Do not use it for Authentication or Identification for authentication purposes, nor for any other purpose other than taxes.

But that is exactly what was promised when the SS system was first proposed, but we all know how that worked out. Government lies.

Re:Not doing it right (1)

TemporalBeing (803363) | about 2 months ago | (#47231493)

Even though it is not recommended, many, many organizations use the SSN as a unique identifier. See http://consumersunion.org/news... [consumersunion.org]

Technically not legal; but doesn't stop them.

Technically - you can only use your SSN with the IRS for tax purposes; but that doesn't stop anyone.

Re:Not doing it right (1)

thejynxed (831517) | about 2 months ago | (#47240797)

Hell, it doesn't even stop government agencies OTHER than the IRS requiring you to use it on all kinds of forms and applications, either.

Re:Not doing it right (5, Informative)

rsmith-mac (639075) | about 2 months ago | (#47229315)

Credit checks for post-paid accounts.

Re:Not doing it right (5, Insightful)

Virtucon (127420) | about 2 months ago | (#47229427)

Yeah everybody want's your SSN and here's the trick folks, don't give it to them unless you absolutely have to. I'm finding it harder and harder these days to start to trust any companies with sensitive information like this. What's needed is an abstract number like a disposable e-mail address to start protecting our anonymity. Once it's used to verify if the customer is "sponge-worthy" [urbandictionary.com] it disappears and the requester can't use it again.

I recently bought a new car at the same dealership where I'd previously purchased another one, about 5 years ago, and when going through all the paperwork found that they had my SSN and other financial data on file from the last time from that transaction. Needless to say I went ballistic and asked a few WTF questions of the management. They agreed that after the transaction was concluded that those details would be erased. I've since filed a complaint with the state attorney general, the state consumer affairs and the feds because none of this was disclosed 5 years ago and I don't know who has seen this data or my SSN.

Re:Not doing it right (0, Interesting)

Anonymous Coward | about 2 months ago | (#47229557)

Car dealers are required by federal law to keep records of all transactions for a period of 10 years, including the purchaser's SSN and other identifying information. It's an anti-terrorism thing.

Re: Not doing it right (3, Insightful)

jd2112 (1535857) | about 2 months ago | (#47229659)

Because we all knew terrorists wait up to 10 years after legally purchasing a vehicle before using it in an attack, right?

Wrong. That is a lie. (1)

Anonymous Coward | about 2 months ago | (#47229829)

Dealers and sales liars say that to run your credit in order to sucker you. [edmunds.com]

Remember folks, everything that comes out of a sales person's mouth is a lie until proven otherwise.

Re:Wrong. That is a lie. (1)

Anonymous Coward | about 2 months ago | (#47229957)

Funny,. the article you linked to says this:

Dealers are required to ask for identification, such as a driver license, from buyers who are purchasing a car for more than $10,000 in cash. They also must get a Social Security number or Tax ID Number.

Re:Wrong. That is a lie. (1)

RabidReindeer (2625839) | about 2 months ago | (#47230677)

Funny,. the article you linked to says this:

Dealers are required to ask for identification, such as a driver license, from buyers who are purchasing a car for more than $10,000 in cash. They also must get a Social Security number or Tax ID Number.

Pretty much anything that involves more than $10,000 has to be reported to the Feds. Whether it's cash or not.

CASH - and ONLY Cash, Geeze! (0)

Anonymous Coward | about 2 months ago | (#47231361)

If you are buying in CASH - not always - contrary to what the dealers say and they say you ALWAYS have to give your SSN.

God!

Re:Not doing it right (0)

Anonymous Coward | about 2 months ago | (#47229993)

It's an anti-terrorism thing.

It's a privacy in exchange for 'security' thing. Mandatory data retention laws are absurd. We are supposed to be the "land of the free," not a bunch of worthless cowards. *sigh*

Re:Not doing it right (2, Informative)

Anonymous Coward | about 2 months ago | (#47232621)

Strange, I never gave my SSN to the dealer of the last car I bought. Unless they want to a credit check, they have no reason to have your SSN. Often times they run that credit check without your explicit knowledge. They claim they have to or it is policy or they "do that for everyone" because the government requires it. That is a LIE.

More complaints to file (1)

Anonymous Coward | about 2 months ago | (#47229955)

Also file a BBB complaint and write a letter - snail mail - to the credit bureau(s) they pulled the report from and let them know that it was done without your permission or knowledge. Let them know those sacks of shit are acting unethically and possibly against the terms of their subscription with the credit bureaus.

Re:Not doing it right (1)

Detonia (3694291) | about 2 months ago | (#47236025)

What's needed is an abstract number like a disposable e-mail address to start protecting our anonymity. Once it's used to verify if the customer is "sponge-worthy" [urbandictionary.com] it disappears and the requester can't use it again.

http://10minutemail.com/10Minu... [10minutemail.com]

Re:Not doing it right (-1)

Anonymous Coward | about 2 months ago | (#47229455)

This should be higher, it's the correct answer.

That's only an excuse. (1)

Ecuador (740021) | about 2 months ago | (#47230121)

I know that is often used as the "excuse" but you don't actually need a SSN to run a credit-check. Name and address are enough, which is why e.g. a landlord can avoid sounding too obtrusive by not asking for the applicant's SSN - they can get the credit report just fine with the name and previous address.

Re:That's only an excuse. (2)

scottbomb (1290580) | about 2 months ago | (#47231175)

Without an SSN you need a DOB. At least that's the case for all the credit checks I've run at mutliple companies over the past 20 years.

Re:That's only an excuse. (1)

Anonymous Coward | about 2 months ago | (#47231375)

Not true. I can confirm that for example Experian tenant check only asks you for the name and address, yet the report contains the SSN (and DOB)! Other less known agencies offer similar services.

Re:That's only an excuse. (1)

Ecuador (740021) | about 2 months ago | (#47234003)

Sorry, but you are wrong. The AC mentioned Experian, so I guess this is a quick example: http://www.experian.com/screening-services/tenant-credit-check.html [experian.com] Only name and address needed (and annual income if you want them to make a decision for you, but not for the credit check). But you could also ask the hordes of people who are surprised when they find out their car dealer ran their credit with only their name and address (hint: if they never gave permission they can pursue the FCRA violation).

Re:Not doing it right (1)

Anonymous Coward | about 2 months ago | (#47229353)

You do not need to give an SSN to AT&T, however this is not largely advertised because they make more money on contracts and collections recovery ($100 deposit vs up to $300 for collections recovery). Just like car dealers do not advertise you can talk down the price, AT&T is in business to make money. Remember that whenever you begin to ask the question "Why would anyone give their SSN to ......"

Re:Not doing it right (1)

Anonymous Coward | about 2 months ago | (#47229439)

And they do not have to provide you with mobile phone service, either. At my business the SSN is used as a uniquely identifying field for each customer and is integrated into the billing process. We make sure that the SSN number does not appear in its entirety on any mailed documents but it is retained in our system to ensure the customer does not have credit problems that could impact ability to pay (we run soft credit checks on a regular basis on all customers). Anyone that refuses to provide a valid SSN is rejected from our services. 95%+ people do not have a problem with this.

Re:Not doing it right (4, Insightful)

sinij (911942) | about 2 months ago | (#47229475)

>>> Anyone that refuses to provide a valid SSN is rejected from our services. Your business is clearly contributing to the problem and should be held full liable for any damage resulting from the data breach that you will inevitably experience at some point.

As to database designers that don't self generate uidis and instead use SSN...

Still, there are ways around such obnoxious requests. my SSN is 123-4-5678.

Re:Not doing it right (0)

Anonymous Coward | about 2 months ago | (#47231553)

... that's not enough digits. If you want a fake generic SSN, just use 123-45-6789.... or if you want it to be slightly less obvious, use 078-05-1120.

Re:Not doing it right (0)

Anonymous Coward | about 2 months ago | (#47233867)

thanks for that number. I'd never heard of the Woolworth SSN [ssa.gov]

Re:Not doing it right (1)

Stan92057 (737634) | about 2 months ago | (#47233537)

And what service is that?? What company as well

Re:Not doing it right (-1)

Anonymous Coward | about 2 months ago | (#47229503)

People fear government, people fear regulation, business buys a great deal of think tanks to astroturf anything other than this, people don't understand that a Federal Law banning the usage and restricting the gathering is the only thing that will stop the whole sale selling of your life for the profit of others.

All this information will only ever be used against you, never in your defence or for you.

Billion dollar corporations are controlled by very wealthy people that never wait in line at a public Air terminals. They are on the corporate jet and off the jet at destination prior to you getting through the boarding process at a public terminal in many cases. For them a long wait time to take off is 15 minutes after the driver drops them off at the private terminal in the back. How do you convince them of anything, they are so disconnected from the other 95% of the country, they can do nothing more than mouth they understand, and pay people to convince you your happy or well enough off. They know how to buy you, they know how to sell you, the only thing left is to induce belief in you that its all better this way. All Americans are taught math and how to analyze data. We are then convinced by religious organizations and think tank verbiage and commercials that this is a bad thing, we should believe and hope for answers. Example the public lottery to fund schools and education.

Once we reach the point where we have again created a royal class that can and will let others starve, we as a people will be be angry enough as a people to fix it. The .0001% know this, so there is just enough left to keep you happy or they make you disappear. An example of something that confused them: Occupy wall street could not be taken over like the early tea party movement was, so they hired the police to mop up people in the middle of the night and drive them out. They tried for a long time to find and create a leadership to take over the movement to astroturf with it, but after all that fail, they had to resort to paying off the police and remove them in the middle of the night.

The future is going to be a dim place if we all of us do not start being active and vigilant for our Democracy. When was the last time you did anything other then vote to improve it? Its on our shoulders to fix it. Do not expect big business to fix it, ever, they wont unless it adds to the bottom line and they remain in control somehow.

\soapboxoff

Re:Not doing it right (1)

niftymitch (1625721) | about 2 months ago | (#47229617)

Why would anyone give SSN to AT&T? Do they also process your taxes? If not, they have no place asking or retaining this information.

Why?.... the DHS and friends have increased the information disclosure for cell phones as well as banking records....

Companies are more and more compelled to dig into you life and keep and make available to "enforcement"
on demands more and more information.

We do have rather well structured standards for the management of credit card info (PCI Compliance Security Standards) but
do not have equivalent standards for the information that others must gather. The good(ish) laws on disclosure are making it
evident that personal data retention and access standards are needed.

Time to write my state and federal legislature.

Re:Not doing it right (1)

scottbomb (1290580) | about 2 months ago | (#47230277)

Credit check. A company choosing to keep it AFTER the fact is folly, unless your a banker extending credit and you need to periodically re-run credit.

Re: Not doing it right (0)

Anonymous Coward | about 2 months ago | (#47230385)

Credit check before they'll let you sign a contract.

Re:Not doing it right (2)

mstockman (188945) | about 2 months ago | (#47230697)

Why would anyone give SSN to AT&T? Do they also process your taxes? If not, they have no place asking or retaining this information.

When I first got my iPhone, the Apple Store reps could not figure out how (or wouldn't admit to knowing how) to sell an AT&T contract without a social security number. They sent me down the way to the AT&T store who also couldn't figure it out without calling in to a customer service line and escalating to a supervisor. It took over two hours to buy the damn phone without a SS#, but would have been five minutes if I had given it up. Eventually, they admitted that they have a placeholder number they can use instead of the SS# and we completed the transaction.

Granted, this was a few years ago, but I don't see why they'd be any more cooperative today.

So that's why people give it to them. Is it required? No. Do people have several hours to waste and the stubbornness to jump through the hoops? Not usually.

Re:Not doing it right (2)

sinij (911942) | about 2 months ago | (#47231063)

Human irrationality.

Would you give AT&T signed blank check if they promised they would keep it for you "for security purposes"? Most people would hesitate to do so, but having one of your checks compromised is a lot less damaging that having your identity stolen via SSN compromise.

Re:Not doing it right (1)

thejynxed (831517) | about 2 months ago | (#47240751)

It's surprising they are even following the bare minimum. Back in the dinosaur era of the 90's, when I worked for them (briefly), they got around most of such laws with impunity simply by changing where they stored customer databases.

If there was anything I ever picked up from my time at AT&T, it was that they are masters of shady law avoidance practices.

Oh fudge (1)

rsmith-mac (639075) | about 2 months ago | (#47229297)

SSNs? Oh fudge.

It would be nice to get more details about this than what's available in TFA. Was this only accounts in California, etc?

Re:Oh fudge (1)

robinsonne (952701) | about 2 months ago | (#47229431)

No, but AT&T is following the bare minimum of the letter of the law in California. I would assume it's a much wider problem.

Hmmm ... (5, Interesting)

gstoddart (321705) | about 2 months ago | (#47229303)

"We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization," the company said in a statement.

"This is completely counter to the way we require our vendors to conduct business."

So, if this is completely counter to how you require it, and they didn't have authorization ... why the hell is it set up so they can access it without proper authorization???

If the access is set up to say "do you promise to not log in when you're not supposed to?" then the system is pretty much useless.

Re:Hmmm ... (1)

Calydor (739835) | about 2 months ago | (#47229999)

Because at some point the red tape would become counter to conducting business.

If one of these employees is the store manager or even regional manager, why WOULDN'T he have the authorization to grant access? Would they need to call the AT&T HQ every time they need to look up a record to have access granted from within?

Re:Hmmm ... (0)

Anonymous Coward | about 2 months ago | (#47230285)

If one of these employees is the store manager or even regional manager, why WOULDN'T he have the authorization to grant access?

There's no way in hell that a store employee needs to access SSN. None.

If a SSN is required to activate service, the customer can enter their SSN at a secure kiosk.

But you can fix it easily (1)

Ecuador (740021) | about 2 months ago | (#47230131)

... by adding a "pinky swear" checkbox.

Fuck beta (-1)

Anonymous Coward | about 2 months ago | (#47229377)

fuck beta

Meh... (1)

BobMcD (601576) | about 2 months ago | (#47229479)

So AT&T seems pretty confident that the 'breach' was inappropriate use of data that a partner of theirs had access to already. It isn't as if some unknown nefarious party hacked them for unknown malicious reasons.

Dude queried tables they didn't think he had access to, and seemingly while doing his job.

In other words, daily IT stuff.

I'm not opposed to the report, per se, but the summary borders on sensationalism.

Re:Meh... (1)

Charliemopps (1157495) | about 2 months ago | (#47229569)

"Employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization," the company said in a letter to affected customers. "AT&T believes the employees accessed your account as part of an effort to request codes from AT&T than are used to unlock AT&T mobile phones in the secondary mobile phone market."

You're right. People don't realize just how much regulation Telecoms and Cellular providers are under. They've got a security policy, and a vendor violated it during a routine part of their job. Likely this was just some guy that wrote a query as "Select * from accounts" instead of "Select ID, Phone, address from accounts" like he should of. AT&Ts security policy required a report on it or whatever. I saw a guy I worked with get fired for a similar mistake.

Careful with your Queries folks... even while testing. The wrong SQL statement can land you on the front page of CNN.

Re:Meh... (1)

gstoddart (321705) | about 2 months ago | (#47229633)

Likely this was just some guy that wrote a query as "Select * from accounts" instead of "Select ID, Phone, address from accounts" like he should of.

Sorry, what? If your outside vendors have the ability to do a raw select on your database ... you're doing it wrong.

These people should be coming in from an interface which only allows them to access what they're required to access, and absolutely NOTHING else.

And your SSN should NOT be included in that.

Hell, as a matter of security when someone asks us for read only access to our database the answer is pretty much always "hell no". If you need something, we'll create you a view, but complete raw access?? Not on your life.

Re:Meh... (1)

BobMcD (601576) | about 2 months ago | (#47229799)

Clearly they're doing it wrong, thus the report.

But is this alarming enough to be news?

I'm pretty confident YOUR BANK is doing it wrong as well, in terms of vendor relations. And those are your actual dollars.

Re:Meh... (1)

gstoddart (321705) | about 2 months ago | (#47229893)

But is this alarming enough to be news?

That they're that incompetent at designing a secure system? Yeah.

I'm pretty confident YOUR BANK is doing it wrong as well

I'm pretty sure I live in a different country than you, and we have much stricter banking laws.

Re:Meh... (1)

BobMcD (601576) | about 2 months ago | (#47230259)

Perhaps I've worked with international banking websites as a vendor.

But the point still stands. This happens a lot, and you don't necessarily need to know about it.

Re:Meh... (2)

gstoddart (321705) | about 2 months ago | (#47230499)

This happens a lot, and you don't necessarily need to know about it.

Unless there's a law requiring it. In this case, there was.

Me, I think corporations should be required to tell people about such breaches.

Because then maybe they'd learn to stop the breaches instead of pretending they never happened.

Re:Meh... (1)

BobMcD (601576) | about 2 months ago | (#47231991)

More likely you'd set up your spam filter to squelch all the notifications.

Again, incidental contact happens billions of times in a given day worldwide. Most laws don't require reporting it. HIPAA, for example, specifically permits it as a part of doing business.

Re:Meh... (0)

Anonymous Coward | about 2 months ago | (#47229985)

Obligatory XKCD. [xkcd.com]

Re:Meh... (1)

alen (225700) | about 2 months ago | (#47230105)

i bet it was someone trying to unlock a phone that wasn't supposed to be unlocked
AT&T cracked down on third parties selling iphone unlocks and someone was probably trying to figure out how to do it again

Re: Meh... (0)

Anonymous Coward | about 2 months ago | (#47231007)

I work for the company and there has never been a third party selling iPhone unlocks. All legit iPhone unlocks are submitted to apple via the carrier then apple does the final approval and then iTunes does the rest.

Jail broken and then unlocked phones via that method ,no one at the t went after them.

Re:Meh... (1)

Karlt1 (231423) | about 2 months ago | (#47231227)

i bet it was someone trying to unlock a phone that wasn't supposed to be unlocked
AT&T cracked down on third parties selling iphone unlocks and someone was probably trying to figure out how to do it again

Why would you need to go to a third party? They have a simple form on their website that you fill out and they will unlock it for you as long as you fulfilled your contract. I requested an iPhone to be unlocked two years after I left the service and the turnaround was less than 3 days. Verizon on the otherhand....

Translation (1)

ArhcAngel (247594) | about 2 months ago | (#47229507)

We received what we thought was a request for data from the NSA on April 9th. We happily complied and began sending the data. We were shocked when the REAL NSA called on April 21st requesting the same data. Naturally we gave them the data and stopped sending it to #Fake NSA.

Re:Translation (1)

PPH (736903) | about 2 months ago | (#47232343)

That National Security Letterhead really seems to be making the rounds with the scammers. That, a fake ID and a pair of cheap dark glasses and anyone thinks they can just shove their way into your business.

It's Spearphishing (1)

EmagGeek (574360) | about 2 months ago | (#47229537)

I get 4 to 5 calls a day from an automated scammer trying to get me to "claim my $200 AT&T bill credit" by logging into a fake AT&T site using all kinds of sensitive personal information.

The scammers take that information and use it to buy phones and plans under the victim's account and ship them overseas where they can be used by whoever.

Getting erroneous statements from ATT for years (1)

walterbyrd (182728) | about 2 months ago | (#47229605)

I constantly get statements from ATT saying "we have deducted this money from your bank account" I have been getting them for two years, at least.

ATT tells me it is a glitch in their system, and not to worry about it.

So far, no money has been wrong deducted, that I am aware of.

However, I do not consider this to be confidence inspiring.

Re:Getting erroneous statements from ATT for years (1)

coinreturn (617535) | about 2 months ago | (#47232051)

I constantly get statements from ATT saying "we have deducted this money from your bank account" I have been getting them for two years, at least.

ATT tells me it is a glitch in their system, and not to worry about it.

So far, no money has been wrong deducted, that I am aware of.

However, I do not consider this to be confidence inspiring.

Meanwhile, some other sucker is getting money deducted without an explanation.

NSA? (1)

JStyle (833234) | about 2 months ago | (#47229615)

I thought the NSA was doing this for a while already.

Weev (0)

Anonymous Coward | about 2 months ago | (#47230507)

Sounds like the same great 'security' that Weev broke. Meaning no security at all, you just have to guess the URL.

SSN? (0)

Anonymous Coward | about 2 months ago | (#47231773)

why would the telephone company have people's social security number? I thought only the employers, bank and internal revenue service need a person's SSN.

Re:SSN? (1)

PPH (736903) | about 2 months ago | (#47232299)

need a person's SSN.

Correct. But there's nothing stoping them from asking you for one. And refusing to do business with you if you fail to provide one. There is no law preventing the use of an SSN as a part of customer records. Want one? Contact your legislator. But good luck with this.

On the other hand, there is nothing that says you have to give AT&T, or anyone else without a federal reporting requirement the correct SSN. I give them the one that came on the sample card in my wallet.

This explains the phishing attempts (0)

Anonymous Coward | about 2 months ago | (#47232479)

I've been getting an automated phone call just about daily that claims to be at&t requesting that I go to a website and enter all my credentials so I can win $200. I knew it would only be a matter of time until this headline popped up.

my phone. your phone. our phone (0)

Anonymous Coward | about 2 months ago | (#47233783)

so how did this go?
"hey bob. this att subsided phone blows ch7nks. anyway to remedy this?
sure. just gimme your ssn and we'll unlock it.
why?
well if its unlocked we can sell it to africa.
I see bob. heres my ssn then and get me a good price in africa.
will do.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>