AT&T Insider Data Breach More Dangerous Than External Hacking

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.eweek.com/mobile/att-insider-data-breach-more-dangerous-than-external-hacking.html

AT&T has not formally disclosed how many customers the company's latest
data breach affected, but the attack appears to have exposed customer birth
dates and Social Security numbers (SSNs).

It isn't the first time that AT&T revealed that a data breach put customer
information at risk. Yet there is reason to believe that the latest breach,
which AT&T disclosed June 13, is more serious than past incidents.

Security experts eWEEK contacted were not surprised at the news that AT&T
customer data was breached, but there was some surprise over the motives of
the breach.

Girish Bhat, director of product marketing for Wave Systems, said that
while threats from insiders are no longer surprising, the intended use of
this hack—jail-breaking locked AT&T phones so that they can be resold—is
indeed surprising.

Lucas Zaichkowsky, enterprise defense architect at AccessData, told eWEEK,
"Three employees of an AT&T vendor with access to records stole them as
part of a scheme to make money by unlocking used cell phones. It seems as
though there was minimal or no hacking activity in the traditional sense of
the word."

Joe DeMesy, security associate at Bishop Fox, said it is all too common to
see companies be cavalier with customers' personal data. "The only
surprising thing is that it didn't happen sooner," DeMesy said. "Then
again, perhaps it has, and they only recently detected it."

AT&T has dealt with leaked customer information before. Back in 2010,
114,000 email addresses of AT&T's Apple iPad 3G customers were leaked.

In that incident, Goatse Security and security researcher Andrew
Auernheimer claimed that they were able to exploit a flaw on the AT&T
Website. Auernheimer was arrested by the U.S. Federal Bureau of
Investigation in 2010 and found guilty in 2012. Auernheimer's conviction
was overturned on April 11.

"The Auernheimer breach was problematic in that any user accessing the AT&T
Website was able to obtain email address information on iPad users," Bob
Stratton, general partner at Mach37, told eWEEK. "[The latest] event seems
more significant in that authorized insiders with access to the
provisioning system are said to have been misusing access."

Bishop Fox's DeMesy noted that while the Auernheimer breach only affected
email addresses, the latest compromise at AT&T disclosed phone records and
SSNs.

AccessData's Zaichkowsky noted that, in the latest breach, the attackers
were abusing the access they had as employees of an AT&T vendor, which
makes the scenario even more dangerous than the Auernheimer breach.

"It makes one wonder what AT&T and other vendors are doing to detect and
prevent data leakage," Zaichkowsky said.
In the Auernheimer breach, the purpose was allegedly to expose a flaw that
already existed in the AT&T system. In the latest breach, the purpose is
more sinister in that it was likely tied to a money-making scheme to enable
the unlocking of user devices.

"While the used phone market is cited most frequently in the articles about
this event to date, it is a mistake to fail to acknowledge that even
current customers sometimes want handsets unlocked at different times than
carriers will accommodate," Stratton said. "If the carriers accelerated
their moves to the new CTIA voluntary unlocking rights policies, it is
conceivable that the demand for this sort of service might decrease."

Mitigation

Organizations and end-users can do a number of things to help mitigate the
risk of data breaches like the one that just hit AT&T.

Organizations should limit the number of records employees can access at
one time and monitor for unusual employee activity, Zaichkowsky said.

Bishop Fox's DeMesy said AT&T officials clearly need to look at their
internal practices and enforce the principle of least privilege in which
employees only get access to the type of data they need to do their jobs.
"There is no reason for a vendor seeking to unlock a phone to also have
access to phone records and SSNs associated with the account," DeMesy said.

Consumers should avoid giving companies personal information, such as their
SSNs, DeMesy said. "Many companies will ask for your SSN; far fewer
actually require it," he said. "The frustrating piece is that once a
company has your information, there is very little consumers can do to make
sure the company adequately protects the data."

Consumer vigilance is crucial when it comes to personal information.

"At the end of the day, we each need to be vigilant by monitoring credit
reports and financial accounts for unusual activity," Zaichkowsky said.
"Catching these incidents quickly, reporting them and taking action are
personal obligations."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!