back to article AT&T fires insider for slurping customers' social security numbers, driver licenses and more

AT&T has warned subscribers that a rogue staffer rifled through the telco's customer database without authorization. The telecoms giant said one of its workers pulled up sensitive information – including social security numbers – and was duly fired for breaking the corp's privacy rules. According to a letter [PDF] to …

  1. alwarming
    Alert

    Just fired ?

    Wouldn't this be a criminal offence ?

    1. Anonymous Coward
      Anonymous Coward

      Re: Just fired ?

      Depends. If the guy now works for a 3 letter agency it will probably be "forgotten" as long as he keeps this every place he goes to...

  2. Anonymous Coward
    Holmes

    The real question is...

    ...it's 2014 - why are banks and financial institutions still allowing people to illegally access our accounts using just a social security number and the name of our favorite dog, Muffy???

    For those of you who are uninformed (not many I would imagine), all this identifying information has been available on public display at the local courthouse for the past 100 years in towns and cities all over America. If you thought your social or DOB was somehow a big secret, you are likely to be very disappointed.

    1. Anonymous Coward
      Anonymous Coward

      Re: The real question is...

      I'm shocked they knew about Muffy, though.

  3. Stevie Silver badge

    Bah!

    "If the wrong person or the person in the wrong frame of mind decides to use that access badly, what can you do?"

    Seriously? "File criminal charges" would seem to be a good start.

    Publically disseminating the perpetrator's name so he/she never works in the industry again might be appropriate. Let them sue. I'm sure the public will be supportive when the first press conference is given.

    Sue in civil court to recover costs of all the measures that must now be paid for to guard those affected from future fraud.

    I have more ideas, if anyone from AT&T needs them.

    I'm an AT&T customer and I'm fed up with computer criminals making my life difficult.

    Next up: Why can't Chase f*cking Bank learn to encrypt their data on me so when it gets stolen again (and again) it can't be properly associated into dangerous information?

    1. Anonymous Coward
      Trollface

      Re: Bah!

      Chase bank CAN encrypt your data, but...

      ...there's a bit of a monthly service fee for that.

      1. Anonymous Coward
        Anonymous Coward

        Re: Bah!

        Chase bank CAN encrypt your data, but...

        ...there's a bit of a monthly service fee for that.

        That's part of the damned problem. Effin' corporate greed. Encryption should be the default not some paid for service. How st00pid can these "corporations" be? This is yet another reason why everyone should be telling these financial institutions to take a flying leap into the nearest volcano. Pull your $$$ from their control and put them elsewhere where they will work for you instead of some greedy arsed corporation. There's only one way these ID10Ts will get the message and that's by voting with your feet.

        Anon because I work with financial institutions. Against my moral standards but I have to make a living somehow :?

        1. Destroy All Monsters Silver badge

          Re: Bah!

          Pull your $$$ from their control

          You may be dismayed to find out that there frankly is not enough $$$ to do that.

        2. Anonymous Coward
          Anonymous Coward

          Re: Bah!

          That's part of the damned problem. Effin' corporate greed. Encryption should be the default not some paid for service. How st00pid can these "corporations" be?

          They're not stupid, they are simply not willing to spend one cent more than is required to only offset their own liabilities. They're not interested in what a leak does to a customer.

      2. Anonymous Coward
        Anonymous Coward

        Re: Bah!

        well, it's a good thing we bailed them out, and enabled them to snarf up WAMU and others...

        "too big to fail"...and still failing...:(

    2. dan1980

      Re: Bah!

      @Stevie

      I agree, file criminal charges - make it mandatory. However, I think the (rhetorical) question posed was about how you actually prevent this happening.

      Criminal charges are well and good but they are a deterrent, not a barrier.

      The answer to the question about what you can do is that, ultimately, you really can't stop this - not entirely. What you can do, however, is make sure that only those who NEED access to the information are even able to access it.

      That also means that each employee can see ONLY that information that is relevant and necessary for the task they are doing.

      Further, it means preventing any means to showing all these sensitive details en masse, such as in a nice table or report. By that, I mean that to see a customer's driver's license details, you would have to actually open the record. Beyond that, you could have those fields hidden and only show as a pop-up or when button is held down. You could even have the fields as images - or displayed in some way that made the text/details not able to be selected and copied.

      The reason for these measures is to prevent anyone being able to harvest large amounts of information quickly and easily. They'd be reduced to manually recording the data bit by bit - a slow process considering this stuff is only really valuable in bulk.

      And, all this shows why the numerous data collection regimes in place and in coming around the world are so dangerous - the information WILL get out. Whether through carelessness, ineptitude, curiosity, cracking or insider theft, the only ways to mitigate these problems are the same:

      • Keep as little as possible.
      • Secure the data as strongly as possible.
      • Restrict access to the information as much as possible.
      • Monitor diligently.
      • Punish ruthlessly.
      Or, more simply, always put the privacy of the person whose data is being collected above the convenience and/or profitability of the entity collecting and using it.

      Do that and at least you can say - when a breach inevitably happens - that you took all reasonable steps to try and prevent these problems.

      1. Stevie Silver badge

        Re: Bah!

        The problem that *I* see is that the harvesting gets any information at all.

        Stop keeping data around as tuples and the attack doesn't go away but it ceases to return information, only unrelated data. That data should only BE related when accessed through proper channels by authorized persons using encrypted meta data to do the job.

        The day of the relational database would seem to be over.

  4. Graham Marsden
    WTF?

    Rules? Guidelines...?

    How about "How the *fuck* was this sort of thing possible at all for a 'rogue staffer'"?

    1. Captain DaFt

      Re: Rules? Guidelines...?

      My thought exactly! Isn't there a system of checks, balances, permissions, and alerts in place, or were they just using the honor system?

      "This data could abused for millions! Promise not to touch it, OK?"

      1. dan1980

        Re: Rules? Guidelines...?

        Exactly.

        This is why the system already in place and soon to be massively expanded in Australia is so worrying as pretty much any even part-way government body can access information about you.

        For example, if a local council wants to try and track some who has been dumping rubbish on the side of the road, they can get access to cell tower information. Likewise the RSPCA (animal protection) and any number of other groups.

        But no, it's all good - no one will misuse any of this . . .

    2. Peter Simpson 1
      Coat

      Re: Rules? Guidelines...?

      1. Tie rogue staffer to pole

      2. Summon people whose information he viewed.

      3. Hand out paddles

      4. Form line.

      5. One at a time, no shoving.

      // cat-o-nine-tails in the pocket

      1. Fatman
        Joke

        Re: Rules? Guidelines...?

        1. Tie rogue staffer to pole

        2. Summon people whose information he viewed.

        3. Hand out numbered tokens to victims.

        4. Draw winning number.

        5. Give lucky victim a katana.

        6. Lucky victim gives perpetrator a quick gender change (perpetrator is highly likely to be male).

        7. Proceed to nearest pub.

        8. Celebrate!!!

        1. Ugotta B. Kiddingme

          Re: Rules? Guidelines...? Alternate instructions

          I would suggest a minor alteration of your otherwise excellent plan:

          5. give lucky victim a rusty, dull, serrated knife

          6. after discussion to verify everyone properly understands what "Go Medieval on him/her/it!" means, the lucky victim is encouraged to be creative with his/her treatment of the perpetrator.

      2. dan1980

        Re: Rules? Guidelines...?

        An alternative:

        1. Ascertain method used by 'rogue staffer' to access data.

        2. Dismiss 'rogue staffer'.

        3. File strongest possible criminal charges against 'rogue staffer'.

        4. Ascertain if any managers were negligent (e.g. in giving approval where it shouldn't have been given, handing out their password, etc...).

        5. Take appropriate disciplinary actions (including firing and/or criminal proceedings if warranted).

        6. Set security/development/oversight teams to investigate flaw and close it*.

        7. Commission external auditing to probe for any other ways such an incident could happen again.

        * - This may be a long process, overall, and the solution may not be entirely technical, involving additional training for staff, better authorisation processes, etc...

  5. frank ly

    It's all too difficult

    "Insiders are worse than hackers because there's no way to protect against them that's truly effective,"

    It couldn't be truly effective if there were many rogue insiders working together, but surely there can be methods of 'dual authorisation' that would work. How many people in AT&T (and similar), on a day to day basis, actually need to access the sensitive information of customers? Not many I'd guess. How many customers a day do they need to access in this manner? Not many I'd guess.

    Make all such data access a 'red flag' operation that is marked for oversight by a higher level manager in a different department. Have any mass access require a further password to be entered by a higher level manager in a different department. etc.

    People would moan and complain, yes, but the answer to that is, "It's part of your job, so if you don't like it then go looking for another job."

    1. Robert Helpmann??
      Childcatcher

      Re: It's all too difficult

      If you need to do business, you need people to access information. If the wrong person or the person in the wrong frame of mind decides to use that access badly, what can you do?

      The quoted person shouldn't be working in security! Frank ly, you've got a good start. Why not add in some auditing, both automated and human monitored? Robust logging with an audit trail that goes back a considerable amount of time? Restrictions on removable data and access to external networks? Granted for AT&T, this later might be difficult, but blanket statements about how impossible it is to address this issue should set management on edge. There is no security measure that cannot be overcome, but not even to attempt to address an obvious and common concern is ridiculous!

  6. Tzhx

    Why do AT&T even have these details?

    It may be because I'm an uneducated Brit unfamiliar with American ways, but why would your cable or telephone provider need to know you social security number or your driving license number?

    Virgin Media (cable) and O2 (phone) don't ask me for those sorts of details in the UK -- and both of those are just brands of foreign companies.

    1. Peter Simpson 1

      Re: Why do AT&T even have these details?

      They use the SSN as a unique identifier and to access your credit information.

      No, it's not supposed to be used that way, but it is.

    2. Triggerfish

      Re: Why do AT&T even have these details?

      I had to contact a US support team for a problem and their automated menu asks you to put in your social security number, hows that related to fixing a server in the UK?

    3. Erik4872

      Re: Why do AT&T even have these details?

      It's mainly because there's no national ID system beyond the Social Security number. The SSN is mainly used for credit reporting purposes so they can uniquely identify you if and report you if you fail to pay on your contract. States issue their own drivers' licenses which have unique numbers, and shockingly few Americans have current passports. I guess that's part of living in a huge country that spans 4 time zones (and doesn't have the best record of understanding that there's a whole "rest of the world" out there.) So, SSN and DL numbers are the main ways people are identified in the US.

  7. Erik4872

    It's a systems AND a people problem

    These data breaches keep happening over and over, and in my mind it boils down to a couple of reasons:

    - Companies "rightsizing" their IT expenditure by outsourcing systems support/security to the lowest bidder. A third party doesn't care about your system beyond doing the bare minimum to continue getting paid under the contract.

    - In the case of insiders, I think a lot of that has to do with companies treating employees poorly. I'm very lucky to have a good job with a decent company, but some places can be awful to work at. I could definitely see some staffer saying to themselves, "Why not? Who cares about the company when I could make some quick money selling the customer database to someone?"

    Bring some knowledge back in house, treat people right, give them ample time to plan things correctly, and you will have fewer breaches.

  8. Anonymous Coward
    Anonymous Coward

    O RLY?

    "Rogue Staffer", my @ss!

    "scapegoat" most likely

  9. raving angry loony

    Fired?

    Yeah, not allowed to do that unless you pay AT&T money, then it's all good.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021