The company whose logo used to be the cracked Liberty Bell has some crack’s in its own data security policies.
AT&T sent out letters this week to its wireless customers this week informing them that an unspecified number of customers have had the personal information breached by employees of service providers working for them. The beach occurred, according to AT&T, between April 9th and 21st of this year.
Although the breach occurred over 2 months ago, it became public knowledge when the company filed a report with California regulator’s in compliance with a California law that requires notification when a breach could impact more than 500 customers. The filing states that the breach was traced to 3 employees of a vendor used by AT&T.
Although we do not know the full extent of the breach, it is significant because it included access to social security numbers and information that could be used in identity theft schemes.
The letter states that AT&T believes the accounts were accessed in an effort to obtain access codes used to unlock AT&T phones in the secondary mobile phone market, and thereby activated by other telecommunication providers. This activity itself would not impact existing AT&T customers.
To make amends, AT&T is offering potentially impacted customers one year free of a credit monitoring service and urges customers to take advantage of it.
While AT&T asserts that the offending employees violated AT&T policies, the incident highlights the need to have systems in place that control policies on devices and for applications, not just policies on paper. Endpoint security and mobile device management have never been more important.