AT&T admits theft of DSL customers' data, offers to pay for credit monitoring

Posted by Scott M. Fulton, III

San Antonio (TX) - As a gentle way of admitting that personal data records for as many as 19,000 DSL customers, including credit card numbers, had been stolen electronically from an unauthorized party, AT&T said today it would set up and pay for credit monitoring services, after having notified those who may have been affected. In the company's statement this morning, AT&T chief privacy officer Priscilla Hill-Ardoin said, "We recognize that there is an active market for illegally obtained personal information."

The company admits that records for customers purchasing DSL service and equipment online through AT&T were swiped sometime over the weekend, though a company spokesperson told the San Jose Mercury-News today that no incidents of unauthorized credit card use had yet been reported by customers.

After having come under fire last year for apparently cooperating with the National Security Agency in handing over personal customer records in conjunction with anti-terrorism investigations, AT&T made a revision to its privacy policy, on a page that appears only for existing AT&T customers. "While your Account Information may be personal to you, these records constitute business records that are owned by AT&T," the policy now states. The company may provide this information, it states, to certain third parties, including credit bureaus, service partners, and law enforcement agencies.

Both AT&T Corp. and SBC - the two companies that now comprise the current AT&T, Inc. - were no strangers to the problem of identity theft, having had their trademarks borrowed for notorious phishing scams since 2001. In 2004, MarketWatch columnist Herb Greenberg was himself the victim of a phishing scam that affected not only him but, strangely enough, other financial analysts. Having responded to letters that appeared to have been sent by SBC Internet Services, Greenberg and others discovered the information obtained by the sender enabled them to access these analysts' phone records online, perhaps to learn their sources.

Later that year, SBC issued what was intended to have become an annual report of the "Top Communications Scams and Threats" faced by its customers that year. Number one on the 2004 list was identity theft. "Thieves illegally obtain sensitive personal information such as credit card or social security numbers," SBC wrote, "often from discarded credit card statements, utility bills or personal checks."

What SBC didn't say was how easy it would be for thieves to obtain thousands of numbers not by pilfering through the trash, but by simply acquiring the online database whole. In fact, all of the company's "Scams and Threats" at that time involved unauthorized parties directly or indirectly interacting with their victims.

The three most damaging data items an unauthorized party can obtain together are your name, your Social Security Number, and one of your credit card numbers. All three are often requested, not only by utility service providers but also municipal and local authorities, supposedly to aid in identifying individuals. But as skeptical individuals such as blogger and author Devvy Kidd learned during a move to a new city, AT&T insists that its customers provide them with updated SSN information to verify customer data, even when customers already appear in their corporate database. In the case of Kidd, who was transferring her local phone service, she declined to provide her SSN, citing laws which state it is not legally required for validating personal identity. Some agencies may charge a deposit to customers who decline to provide this data, but will later remove that deposit once they've been validated by other means. AT&T was a prominent exception, in Kidd's case.

Later in that blog post, Kidd also mentions where her new credit union invoked the Patriot Act, by way of a written notice, in explaining why it was requesting her cooperation in providing it with her SSN, apparently for the good of the country.

Granted, AT&T's phone and Internet services are provided by separate company divisions, and the databases of the merger partners are still in the process of being reconciled. But if the databases were truly separate, then MarketWatch's Greenberg might not have had his phone records accessed by way of information obtained in the guise of his Internet service.

In an attempt to prevent people from posting their names, e-mail addresses, and SSNs in public places, Carnegie-Mellon University has developed what it calls an "identity angel." This program sifts job boards and other prominent sites, looking for patterns, and e-mailing the would-be victims, gently notifying them that had this been an actual intruder, you might have been instructed where to tune in your area to provide your credit card number.

Two weeks ago, security expert Bruce Schneier reported on a case where one party, pretending to be a local pizza parlor, called up AT&T customer service and asked to have service for that parlor rerouted to another number of his choosing. There, the fraudulent agent accepted orders for pizza deliveries with credit card payments. Needless to say, he doesn't deliver pizza.

"The problem is the phone company, of course," Schneier writes. "They're forwarding calls based on an unauthenticated request." So in short, one representative of AT&T insists that customers identify themselves with SSNs when they don't have to, while another AT&T representative takes the word of a guy who says he's a pizza parlor. "It seems to me that AT&T would solve this problem more quickly if it were liable," he added.

If it could be established in court that AT&T's business records truly do belong to AT&T, as the company itself claims, then surely the responsibility for the theft of that data must lie with the declared owner of that data. Unless we live in a universe where Schrodinger's Cat truly can be both alive and dead, neither AT&T nor any other institution can own your personal data and at the same time expect you to be solely responsible for it, once it conveniently turns up someplace it doesn't belong.