AT&T recently began notifying an undisclosed number of customers that one of its employees “violated our strict privacy and security guidelines” by accessing their accounts without authorization in August 2014.
The data potentially accessed by the employee includes the affected customers’ Social Security numbers, driver’s license numbers, and Customer Proprietary Network Information (CPNI), which details services purchased, including which numbers the customer has called and when.
“On behalf of AT&T, please accept my sincere apology for this incident,” company director of finance billing operations Michael A. Chiaramonte wrote in the notification letter [PDF]. “Simply stated, this is not the way we conduct business, and as a result, this individual no longer works for AT&T.”
The notification letter gives no indication of any changes AT&T may be making to mitigate the risk of such breaches in the future. Still, it does state that any unauthorized charges to affected customers’ accounts will be reversed, that all affected customers are being offered one free year of credit monitoring from CSID, and that AT&T has notified federal law enforcement of the exposure of the affected customers’ CPNI.
This is the second such breach this year at AT&T. In June 2014, the company notified an undisclosed number of customers that their personal information had been inappropriately accessed by three employees of an unnamed third-party vendor between April 9 and April 21, 2014.
Following that breach, Rapid7 global security strategist Trey Ford pointed out that AT&T hadn’t been as clear as it should have been in disclosing the breach. “We want to know that the problem was contained, what data was affected, and how it might be corrected and prevented in the future,” Ford said at the time. “AT&T has not provided this information in its disclosure.”
The same is true, unfortunately, the second time around.
In the meantime, insider breaches continue to be a major problem for companies across a range of industries.
Florida’s Aventura Hospital and Medical Center recently acknowledged that a former employee of physician staffing firm Valesco Ventures may have inappropriately accessed as many as 82,601 Aventura patients’ names, birthdates and Social Security numbers. The breach was the third such incident at Aventura in the past two years (h/t PHIprivacy.net).
IberiaBank recently accused two former executives at Teche Federal Bank, which IberiaBank acquired earlier this year, of stealing several thousand customer files and providing them to competitor JD Bank. The executives, Darryl Broussard and Brayton Peltier, then allegedly deleted the stolen information from Teche’s computer system (h/t The Advocate, DataBreaches.net).
And home care provider network CareCentrix recently began notifying [PDF] an undisclosed number of patients that a former employee stole their personal information, including names, addresses, birthdates, Social Security numbers and health plan numbers. The breach wasn’t discovered until the company was notified by law enforcement on August 11, 2014 that the data had been found in the former employee’s possession.
Those breaches took place as the FBI and DHS warned of an increase in insider threats from current and former employees — and a recent SpectorSoft survey found that almost two thirds of IT professionals say they’re unable to detect or deter insider threats.
“While the percentage of insider threats — approximately 30 percent of all cyber attacks — has stayed broadly consistent since 2004, the total number of such attacks has increased dramatically, resulting in $2.9 trillion in employee fraud losses globally per year,” the SpecterSoft report [PDF] stated.
A recent eSecurity Planet article offered advice on how to defend against insider threats.