AT&T recently began notifying an undisclosed number of its mobile customers that their personal information had been inappropriately accessed by three employees of an unnamed third-party vendor.
In the notification letter [PDF] to those affected, AT&T explained, “We recently determined that employees of one of our service providers violated our strict privacy and security guidelines by accessing your account without authorization between April 9 and 21, 2014.”
“AT&T believes the employees accessed your account as part of an effort to request codes from AT&T that are used to ‘unlock’ AT&T mobile phones in the secondary mobile phone market so that those devices can then be activated with other telecommunications providers,” the company added.
The information exposed includes the affected customers’ Social Security numbers and birthdates, as well as Customer Proprietary Network Information (CPNI) related to services purchased by the subscriber.
All those affected are being advised to change their account passcodes and to consider placing fraud alerts on their credit reports, and are being offered one free year of credit monitoring services from CSID.
For many companies, third-party vendors with privileged access to corporate data pose a significant security challenge. Just last month, a transcription service provider exposed 15,000 Boston Medical Center patients’ personal information, a printer mistakenly exposed 5,261 former Molina Healthcare of New Mexico members’ protected health information, and a third-party vendor mistakenly exposed an undisclosed number of Lowe’s employees’ personal information.
“A company’s attack surface grows as an exponent of the reliance on partners, outsourcing and even SaaS,” Core Security chief architect Andy Rappaport said by email. “They are relying on not only their security policy and enforcement, but also of their partner’s. It stretches the trust boundaries beyond the enterprise.”
To mitigate that risk, Rappaport said, it’s crucial to ensure that your security enforcement, network access, IAM entitlements and auditing account for those partners’ unique level of access to sensitive data.
As Rapid7 global security strategist Trey Ford told eSecurity Planet earlier this month, “Attackers are going to be like water – they’re going to follow the path of least resistance. So it may be that a lot of your core systems are very carefully measured, but you don’t get to wash your hands and shrug off liability when you give sensitive data to external companies.”
By email yesterday, Ford said that AT&T failed to be as clear as it should have been in its communications following the incident.
“Customers and the general public will want to know when the initial breach happened, how it happened, how it was detected, and how long detection took,” he said. “We want to know that the problem was contained, what data was affected, and how it might be corrected and prevented in the future. AT&T has not provided this information in its disclosure.”