Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« New Breach Prevention and Detection Study | Main | A Smart Privacy Move by GSA: Arranging Credit Monitoring Agreements »

AT&T Handles Hacker Theft of Personal Data Better Than Many Others Have

Today Computerworld reported that hackers broke into AT&T's systems over this past weekend.

"Malicious hackers broke into one of AT&T Inc.'s computer networks and stole credit card data and other personal information from several thousand customers who shopped at the telecommunication giant's online store. AT&T said it was notifying "fewer than 19,000" customers whose data was accessed during the weekend break-in, which it said was detected within hours.  The company said it immediately shut down the online store, notified credit card companies and was working with law enforcement agencies to track down the hackers.  "We recognize that there is an active market for illegally obtained personal information," Priscilla Hill-Ardoin, AT&T's chief privacy officer, said in a statement. "We will work closely with law enforcement to bring these data thieves to account," Hill-Ardoin said.  AT&T said it would also pay for credit monitoring services to assist in protecting the customers involved. The data theft involved people who had bought DSL equipment for high-speed Internet access.""

It is refreshing to see that AT&T is not trying to downplay the potential seriousness of the incident. 

Breach response actions they did right:

  • Notified the impacted individuals quickly.  They did not wait months to notify as most other companies have done in the past, such as Choicepoint and the Veteran's Affairs agency.
  • Did not sugar-coat the potential impact of what could be done with the data.  They acknowledged that there are many fraudsters and criminals out there who make significantly large amounts of money selling personal information to other criminals.
  • Did not say that the information had not been misused.  Too many times companies try to shrug off the potential impact of the incident by saying that they do not believe stolen information had been used, or that there was no malicious intent by the unknown hacker, when in fact there is no way they could possibly know this.
  • Is paying for credit monitoring for the 19,000 impacted individuals.  Such credit monitoring, while not 100% effective, certainly will help the impacted individuals know if their data is being used for fraud in a large number of ways.  More...actually all...businesses must accept responsibility for their security incidents and step up and pay for this monitoring for impacted individuals instead of telling the individuals they must pay for it themselves.

I'll be interested to see follow-up information on this incident, if there is any.

Technorati Tags








 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on August 30, 2006 8:26 AM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/172

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.