AT&T Breached, Exposes 19,000 Identities

mytrip writes to tell us News.com is reporting that a recent attack on AT&T's systems saw thousands of customers' personal data compromised. About 19,000 customers of AT&T's online store who purchased equipment for a DSL connection were affected. From the article: "AT&T is offering to pay for credit monitoring services for customers whose accounts have been impacted because they could be at risk of identity fraud. The company also has made available a toll-free number to affected customers to call for more information."

"...customers were effected"

Should be "were affected." Or is it "we're affected"? I can never remember.

Re:"...customers were effected"

Yes, we know. Grammar here's defected.

Re:"...customers were effected"

[Pointdexter]

Yeah, it's not like the editors couldn't of fixed that.

Re:"...customers were effected"

The editors could care less about grammar. Nor idiom.

Re:"...customers were effected"

[asylumx]

While we're at it.... "thousands of customer's personal..." should be "thousands of customers' personal..." in the write-up. Why do we call the folks that run Slashdot "Editors" anyway?

Re:"...customers were effected"

[$RANDOMLUSER]

>>>were effected
>>Yes, we know. Grammar here's defected.
>>Yeah, it's not like the editors couldn't of fixed that.
>The editors could care less about grammar. Nor idiom.

AIIEEEEEEEEEEEE!!!!<head explodes>

(It's 5:30 A.M. here - what a way to start the day!)

Re:"...customers were effected"

[gEvil+(beta)]

Why do we call the folks that run Slashdot "Editors" anyway?

I honestly have no idea. I tend to think of them as story-posting monkeys. They sit behind a panel that has big "accept" and "reject" buttons that they randomly punch as submissions come in. How else can you explain the ridiculous amount of dupes, tripes, and tripe?

Re:"...customers were effected"

-1 Ignant for improper use of the word "of"

Re:"...customers were effected"

Irregardless...

Re:"...customers were effected"

A preposition is something you should never end a sentence with.

Re:"...customers were effected"

[Ms.Maus]

Wow, how ironic.

Re:"...customers were effected"

Couldn't HAVE fixed that, you fucking moron. First have a look at yourself before spouting your shit. Retard.

Re:"...customers were effected"

It was actually supposed to be a joke. Thanks for your kind words though :)

Perhaps an appropriate punishment

[Bromskloss]

...for using AT&T.

Re:Perhaps an appropriate punishment

[byolinux]

Duped already, too. ;)

Re:Perhaps an appropriate punishment

agreed

Re:Perhaps an appropriate punishment

[byolinux]

Heh, seems the duped story was removed :)

Re:Perhaps an appropriate punishment

[Em+Adespoton]

That would be fine if AT&T were the only company having these problems.
Has ANYONE set up a clearinghouse for these security breaches so I can keep an eye on where (not if) my private information is leaking?

O RLY?

[abscissa]

They will pay for credit monitoring services, but will they pay for all the liability from a stolen ID? That can reach into the hundreds of thousands of dollars in real damage.

Re:O RLY?

[bsartist]

They will pay for credit monitoring services, but will they pay for all the liability from a stolen ID?

It wasn't stolen, it was "shared". Making a copy doesn't take anything away from the original owners, right? They still have their names, social security numbers, etc.

That can reach into the hundreds of thousands of dollars in real damage.

A few days ago you said "copying a CD is not a crime". Make up your mind. If information wants to be free, copyright should be abolished, etc., then the same principle applies just as much to your information as it does to a CD. Either "sharing" is OK, or it's not. You want it both ways.

Re:O RLY?

[TIMxPx]

Good point. I suppose that a person releasing 1 million copies of a CD should expect the same level of privacy as a person who submits encrypted credit card information. Oh wait, maybe not.

Re:O RLY?

> It wasn't stolen, it was "shared". Making a copy doesn't take anything away from the original owners, right? They still have their names, social security numbers, etc.

It wasn't shared (that implies willingness). If anything, it was "exposed", because it was suposed to be secret or confidential information, something a Britney Spears CD is not (but I would not arge with you if it should).

Re:O RLY?

[smooth+wombat]

Sort of like when a CD is encrypted so it can't be copied and someone breaks that encryption then releases a million copies of the song. Pretty much apples and oranges.

Oh wait, maybe not.

Re:O RLY?

A CD is already released. I'd have NO DIFFICULTY with someone who wants to keep an UNPUBLISHED CD secret like other secret information. Copyrightists want to have their cake and eat it too, releasing information, but then denying others their right to commmunicate information. Even if you did know my bank password, I don't think you should be penalised merely for knowing or passing on the information (what if my password was your name? Information is NOT a thing, only copies of information are real), only using it to debit my bank account. And what is a bank account debit? interfering with SOMEONE ELSE's physical copy of some information - you could "debit" YOUR COPY of my bank account balance all you want, it's only the bank's copy that matters. Physical property law applied sanely justly deals with issues of information, all problems arise from humans trying to treat information as a thing independent of its physical medium.

Re:O RLY?

CDs aren't encrypted; if they were encrypted, they wouldn't be CDs. Read the fucking Red Book/a, numbnuts.

Re:O RLY?

[dragonsomnolent]

I'm not going to get into the whole copying a CD is not a crime, I don't do it, I don't want the legal ramifications if busted file sharing, but, I don't think that Metallica went bankrupt becuase some kids were downloading MP3's off napster. I am pretty sure, however, that if someone's identity is stolen, it could cause them to loose everything (mortgage forclosures, auto repossesions, having your bank account wiped out these things are very damaging). The data on a music CD is far from sensitive. Before you bash me about this, please understand, I agree that artists have a right to sell their art, just as I have a right to sell my services, and that it is not right to simply go out and rip a CD and put it up on the P2P networks, that does cost the artist, and I agree that it is not right. I'm just saying SS#, adresses, credit card numbers are far more sensative data. Different levels of security for different levels of sensitivity, that's all

Re:O RLY?

[Qzukk]

the same principle applies just as much to your information as it does to a CD. Either "sharing" is OK, or it's not

Wake me up when downloading a track from emule gets thousands of dollars in creditcard debt taken out in the artist's name by kids on IRC, illegal immigrants getting forged licenses with the label president's drivers license number or getting a job using their SSN, or terrorists buying an internet connection in their name and using it to plan their next bombing run.

Until then, your attempt to claim that these are equal and should be treated as such are pathetically dishonest.

Re:O RLY?

[jackbird]

It wasn't stolen, it was "shared". Making a copy doesn't take anything away from the original owners, right? They still have their names, social security numbers, etc.

That's true. And if the identity thieves stop there, simply filing their collection of stolen identities away and displaying a few choice specimens above the mantle for when guests come over, I don't have a problem with it (well a small one, but I can deal).

When the identity thieves use those stolen identities to clean out bank accounts, take out fradulent loans, and steal real, physical goods using credit cards in the victim's name, then they do take something the owner no longer has. IHBT. HAND.

Re:O RLY?

>It wasn't stolen, it was "shared". Making a copy doesn't take anything away from the original owners, right? They still have their names, social security numbers, etc.

A Okay, the quick and easy definition of stealing (again) is:

Taking the property of another depriving them of it for any period of time without permission.

Fails the "stole a CD by copying" test since if you borrowed it with permission, copied it, and returned it, the original is still just as enjoyable as it was before it was borrowed (assuming you didn't damage it). The owner of the CD is never, ever deprived of it without permission.

Passes the "stolen ID" test because purposeful misuse of the information will deny the account holder the use of it. Example: Credit card is filled to the limit. Now the credit card is unusable. They are wrongfully deprived of their credit card account. Should the theives choose now not to abuse the information (since they are being watched) nobody will end up with identity theft as their information is no less useful than it was. However, most criminals aren't that smart and they'll probably steal someone's ID for drug/gambling/mob/whatever money.

Doesn't take a genius to see the difference.

Re:O RLY?

[blugu64]

Heh, good luck with that encrypted audio cd ;) (hint they are not encrypted)

two people are not breaking into the record companies computers to get the music.

Re:O RLY?

[jZnat]

I think a better comparison would be somebody leaking a high-quality pre-release of a movie.

Re:O RLY?

[orasio]

You are wrong.
Copyright is about restricting the freedom of the user of the stuff.

The distributor performs the service of giving you the information, and you pay for it. End of story, no agreement, no contract.
Then, there is a law that says that your freedom to distribute the information you paid to access is restricted. You have to wait a lot of time, virtually forever, and then you can share it anyway you like.

About private information, you enter an agreement with someone to share it with them, and they have an agreement with you, to not share it.
Secrets are ok, because the only losers are those that were never intended to have the information. It's ok to have secrets. They take the responsability to restrict access to that information.
You could make the case that you could not steal, but destroy a secret, because it ceases to exist once you discover it, but that would not be stealing, although it's a real damage.

Copyright is bad, and infringing it is not, because copyright is about restricting people who _are_ intended to have the information.
It's not ok to _force_ others to restrict access to information you distribute, and it would be even worse to have me pay for governments to restrict other peoples access to information. That kind of thing would happen if copyright infringement was invented to be the same as stealing.

Re:O RLY?

[Evro]

I imagine if someone was copying the information simply to have it, it wouldn't be a big deal. But the fact is that they're copying it for the purposes of identity theft, which translates to real dollars-and-cents costs for the victims. Copying a CD is not the same thing as copying someone's credit card number, which implies using that number to purchase goods with the stolen information. Your argument is cute but specious.

Re:O RLY?

[jb.hl.com]

Copyright is about restricting the freedom of the user of the stuff.

No, it's more about protecting the freedom and interests of whoever made a work of art, which is its intention.

Re:O RLY?

You are both wrong, it's about the right to copy things... hence the name "copyright".

Re:O RLY?

[fyndor]

Probably not, but it seems like they are going farther than most companies, which in the past notifying the customer seems like the extent a company was willing to go with this kind of blunder. Not that I'm praising them. Companies holding my personal information need to be more secure. But I think this is atleast a step in the right direction. This kind of thing is happening WAY too much lately. WTF

Re:O RLY?

[sgt_doom]

One wonders who owns all these "credit monitoring services" getting all this humongous business lately???? Oh, could it possibly be the same companies which are giving it to them and then doing the tax write-offs?????

[America is 100% corrupt - anyone who does not know this is ignorant - but there is a cure for ignorance - it's called knowledge and awareness.]

Re:O RLY?

[Duhavid]

Actually, they are encrypted. Play them backwards to get the "plaintext".

Pretty subtle, eh?

Re:O RLY?

[orasio]

- Copyright is about restricting the freedom of the user of the stuff.

No, it's more about protecting the freedom and interests of whoever made a work of art, which is its intention.

It's about protecting the interests of the original distributor, at the expense of restricting the users freedom, if you want to say it that way.

The original intent was about the authors, right now it's more tailored to the needs of distribution companies rather than creators themselves, at least in most countries. For example, duration: death + a lifetime is too much for a single person. Death + 20 years would be good enough if it was about the interests of the creators.

Re:O RLY?

[jb.hl.com]

That's fair enough, and I personally believe in just a life copyright term, with things becoming public domain on the author's death.

Thats exactly why...

I choose to be an Anonymous Coward.

Re:Thats exactly why...

[$RANDOMLUSER]

Helloooo? Mods??

That's exactly why...
I choose to be an Anonymous Coward.
Signed: Anonymous Coward

That would be "Insightful", not "Flamebait" or "Offtopic" anything else.

Re:Thats exactly why...

Please mods... PLEASE!!! For the love of God, please mod up a post!
$RANDOMLUSER is quite an apt handle.

Re:Thats exactly why...

[SamSim]

You sure post a lot.

Only "thousands"?

[KiloByte]

thousands of customer's

Wait, so an one-time spill of the data of just mere thousands of customers (no "'") are suddenly news, and everyone forgets about ongoing constant spilling of the data of 299 millions? Interesting...

Re:Only "thousands"?

[azaroth42]

Will the CTO of AT&T resign like AOL's did over the search history release, which was significantly less damaging than this.

I'm putting my money on No, personally.

-- Azaroth

Re:Only "thousands"?

[$RANDOMLUSER]

To you and the GP:
This was a break-in, not a "spill", which was detected by AT;&T, on the weekend at which time they took very active measures (shutting down the site and contacting credit card companies). Sounds to me like they have some pretty good procedures in place already; you know, the kind of thing a CTO is responsible for.

Re:Only "thousands"?

[__aamnbm3774]

what are you referring to kilobyte?

Re:Only "thousands"?

Sounds to me like they have some pretty good procedures in place already

Like fuck they have, otherwise this wouldn't even have been possible.

Re:Only "thousands"?

[balsy2001]

I am in the military and have had my personal information lost/stolen 3 times in the last 18 months. 1) By bank of american "shipping" backup tapes of my account history and other gov crad holders in the back of somones car, 2) Veterans Affairs laptop, 3) Someone hacking into the DOE. This kind of thing happens all of the time and there aren't any real consequences for anyone in either the public or private sectore. As you all may remember the VA loss affected 26 MILLION people.

Re:Only "thousands"?

>Sounds to me like they have some pretty good procedures

Stunning. What part of the "pretty good procedure" says to store someones credit card number after it was used? ATT has no further need - they were from purchases at their online store.

Re:Only "thousands"?

Will the CTO of AT&T resign like AOL's did over the search history release, which was significantly less damaging than this.

If the CTO authorized this data release, I expect to see a resignation.

In other news

[suv4x4]

In other news:

"AT&T infects 19'000 of their customers with AIDS, after a 'breach' of their 'security' yesterday.
AT&T is offering to pay for free condoms for all affected customers."

Re:In other news

[BSonline]

That is a rediculous analogy. If, somehow, AT&T was protecting someone from AIDS, I'm sure if someone broke in and caused a wide spread infection, our attention would be at the person breaking in. Why doesn't anyone care who stole this information? Just one of them wandering security holes? No, someone broke in and stole it. If someone had stolen diamonds, "AT&T" would be looking for and replacing diamonds. Someone stole information, AT&T is trying to keep it from being used. I'm definitely not a corporate fanboy, but hating blindly is just wrong. They did the best they could, and are working towards a solution. And public information deserves to be free. Even many forms of artistic media. Information that can be used to hurt someone's well being or finances should be protected.

Re:Will AT&T pay for....

[kjart]

Were you potentially a victim of this crime? You seem to be taking it fairly personally - as evidenced by your rater exagerated counterpoints. I for one am willing to give AT&T credit for at least offering to help in some way - most of the times I've read about this happening the company involved didn't offer to pay for anything.

Oi! Hie Thee to Strunk and White!

[JumpingBull]

Affected is preferred.
Effected suggests being brought into being. A database security breach that effects 19000 new customers would not only bring the wrath of the accountants at the Security and Exchange Commission, but also suggests a militant AI broken loose in ATT!

In response to the A/C that suggested we're; you can remember that a comma suggests a contraction of we are.

God is an Iron; Engish was my most hated and worst subject. I leave a glass of Wry for my fellows, but I had to learn this grammer stuff in self-defence. Which I shall maintain in a Court of Law.
Oh, Strunk and White, "the Elements of Style" is a fast way to invigorate your writings. Well worth getting.

Re:Oi! Hie Thee to Strunk and White!

[pookemon]

"Engish"

lol

Re:Oi! Hie Thee to Strunk and White!

1. "Suggest," not "suggests."
2. "Who," not "that."
3. Quotation marks are necessary to indicate the treatment of words as text.
4. Omission of the ampersand in AT&T's name is neglectful at best.
5. Use italics, not quotation marks, for book titles; also, the comma is not a substitute for a genitive ending.
6. Finally, as others have noted, the subject you seek is "English."

I sympathize with your cause, but the effort above is unacceptable. Shape up or ship out of the Grammar Reich, soldier.

Re:Oi! Hie Thee to Strunk and White!

[1u3hr]

OK, I can understand, if not agree with, an "off topic" mod, but how the fuck can a post with no poitive mods be "overrated"? Asshole moderator.

Why did ATT allow the possibility?

[Nutria]

Why did ATT keep confidential records on an exposed system in the 1st place, instead of immediately moving the critical data to a behind-the-firewall system?

Or... did they do that, but the crackers were able to pierce the firewall?

Re:not my fault...

[legoburner]

no wonder i have shitty credit... ppl keep stealing my identity... how do i start a new credit report?

Steal someone's identity.

Look, shit happens to the best of us.

[Pink+Tinkletini]

I'm not saying AT&T is "the best of us," but your proposed remedies are fucking childish. Do you also support capital punishment for late pizza delivery?

Re:Look, shit happens to the best of us.

[Dhalka226]

*claps*

I was trying to find a way to say just that. Kudos.

Re:Look, shit happens to the best of us.

Yes... yes I do.

Yesterday's pizza was late, I was so fucking hungry I wanted to kill the guy.

Re:Look, shit happens to the best of us.

Well, I expect it in 30 minutes or it's free.

Re:Look, shit happens to the best of us.

[DesireCampbell]

If AT&T is the pizza guy, they didn't show up late; they showed up with shitty pizza, charged me way too much for it, has been regularly giving my delivery records (including my name, number, address, pizza info, time of delivery, etc.) to the NSA, and have such slip-shod security that information gets leaked putting me (and 19,000 other pizza loving customers) at risk for identity fraud.

Late pizza is the least of my worries.

'Affected'

You're welcome.

Stop collecting SS#

These companies need to stop collecting this information in the first place. There is no need for AT&T to have this at all to do their business. Last I checked they aren't the Social Security department.

Re:Stop collecting SS#

[Dilpo]

The article said nothing about ss#'s
And if you must know these businesses usually keep this stuff on record for more than one reason which includes taxes (incase of an audit) returns (so they can put it back on the original credit card because it would be illegal to transfer the balance to another)
and believe it or not but some people do actually sign up to have their cc billed automatically everymonth.

Re:Stop collecting SS#

[noidentity]

I went to the dentist recently and they wanted my name, address, phone number, social security number, and driver's license number. Since I wasn't paying my cash, I decided that they would like some kind of contact information in case my check bounced (though I guess that's on the check), but I left the SS # and DL # fields blank, since I couldn't figure out what the hell they needed those for (perhaps if I was using insurance?). I figure I'll encounter the same at the doctor. With all the terrorist paranoia, I wonder if I'll become a suspect because I'm not willingly giving over my SS # to anyone who asks. Even the government's "avoid ID theft" pamphlet recommends not giving out such information unless absolutely necessary.

Good for them

[Rogerborg]

The news here isn't that some incompetent set up their systems, nor that they were cracked. The news is that they've responded openly and meaningfully, without trying to deny it or play down the scale of what happened. I wouldn't be hurrying to sign up to their service because of it, but it certainly doesn't bias me against them. Honesty and integrity are rare enough qualities in corporations that we should applaud them when they claw their way past the lawyers and PR weasels.

Re:movd up

[Pink+Tinkletini]

Any Slashdot post that begins with "bloodfarts" is worth reading. Wish I had mod points.

It looks like . . .

[Don_dumb]

. . . AOL is off the hook.

Steal identity?

[homer_s]

How can anyone steal someone else's identity? Oh, you mean they stole people's social security numbers. That should not be a problem, because as we all know, ss numbers are not meant to be used for identification.

The real problem is companies and the govt using SS# for identification. At this point, about 50 ppl know my SS# - the librarian, the assistant at my school, the clerk in the bank, etc, etc. - so any of these people can harm if they don't like me for some reason? This is stupid.

So what next? Some company decides they are going to use FIRSTNAME_LASTNAME as the id and we are all supposed to keep our names a secret? And run around complaining when our 'identity' (FIRSTNAME_LASTNAME) is stolen?

In many countries, you need a notarised signature to obtain loans, etc. While not foolproof, you can always prove it was not you and it takes more effort to commit fraud.

Re:Steal identity?

[pcgamez]

The problem is not that 50 people know your SSN. The issue is that companies still act as if it is a secret identifying number. To a company, if you know a name, address, and SSN, you must be that person. It is simply assumed.

Re:Steal identity?

[russ1337]

That is why, when they ask for my SSN, i say "I don't have one"... They say "huh? *dumbest look on their face*" and I tell them "I was born overseas and do not have one... and you shouln't need it anyway....."... It usually works. I've nearly always had to pay a higher deposit ('cos they cant check my credit), but its a small price to pay to not give my SSN to the library / power company / phone company / old navy / lunchlady...

Re:Steal identity?

[SCHecklerX]

Just make up a fake one for these purposes. Unless they are paying you, taxing you, or checking on your finances, they don't have any need for it. Certainly not as a customer ID.

Re:Steal identity?

[Eivind]

I agree. In Norway we also have a "personal-id-number" which works sort of like a SSN in the states. The main difference being that this is explicitly *not* secret. And *no-one* will assume that you are a certain person just because you happen to know the id-number of that person.

An id-number works perfectly well for *identifying* a certain person. (the bank, the tax-man, the car-registration-people, the unemployment-office and many more will all recognize that a certain number corresponds to a certain person)

It absolutely sucks as *authenthication* though. Because by nessecity you give the number to lots of people and organisations (if you didn't, they couldn't use it to identify you -- duh !) and trusting all these to keep the number secret, and never leak it, very obviously does not work and can not work.

Re:Steal identity?

It absolutely sucks as *authenthication* though.

I'm thinking of a number between 000000000 and 999999999. What is it?
You can't guess it, can you? Works pretty well, doesn't it?

:)

Re:Steal identity?

The real problem is companies and the govt using SS# for identification. At this point, about 50 ppl know my SS# - the librarian, the assistant at my school, the clerk in the bank, etc, etc. - so any of these people can harm if they don't like me for some reason? This is stupid.

No, the problem is companies and the govt using knowledge of a SS# as authentication. Your SS# is exactly an identifier - it uniquely identifies you in a way that names or name/dob combinations don't.

If I walk up to you and say "Hi, I'm Mr. 123-45-6789", your response should be "can you prove that to my satisfaction", not "OK, here's a loan for $100,000". That is the problem...

Fected

About 19,000 customers of AT&T's online store who purchased equipment for a DSL connection were effected.

That's *affected*. Sorry, pet peeve.

Heck, frankly...

[skids]

I wouldn't even be so sure of that. Nowadays whenever I see any corporation saying they take responsibility for something, I immediately suspect another yesmen prank.

Now that may not be very likely, but if I were the yesmen, I'd be perched and waiting for another ID theft scandal, because nothing would be more meta than stealing the ID of a PR person handling an ID theft incident.

They Hung Up On Me!

[Kamiza+Ikioi]

"The company also has made available a toll-free number to affected customers to call for more information."

AT&T: Thank you for calling AT&T, how may I help you?

Me: Yes, I'm calling because I have learned through the news that my personal information may have been stolen.

AT&T: Did you have a DSL account with us?

Me: DSL?

AT&T: Yes, sir, high speed internet? This affects DSL customers.

Me: I thought this was for phone calls. You mean the NSA stole my internet data too? Those bastards!

*click*

Me: Oh wait, I have Vonage, the phone is just an old one branded from AT&T... hehe, my bad. Hello? Hello?

This goes back to the original problem..

[saboola]

You should not be able to do so much damage with a simple number and some extra data. It is ridiculous that armed with merely this amount of information one could cause so much damage. The system needs to be completely reworked.

Re:This goes back to the original problem..

[meatspray]

They need to stop using ssn for primary identification. Take an md5 of the ssn and use it for verification perhaps but using it for id is just silly.

Free Credit Report?

Why am I starting to think that companies feel O.K. with these security breaches?

Maybe it has come to a point where it's cheaper for them to issue free credit monitoring than to enhance their security.

I am sorry but they should be held way more liable than a simple credit monitoring 'consolation' prize.

On AT&T words...

Here's the official AT&T press release.

It affects about 19,000 customers "who purchased DSL equipment through the company's online Web store." The attack occurred during the weekend, and included access to credit card information. AT&T is notifying affected customers and "quicly notified the major credit card companies."

Re:not my fault...

Steal someone's identity.

Have mine, I'm not using it...

Check out AT&T's wrongdoing

[applix7]

Their mobile phone division is especially vile, in my experience. http://home.comcast.net/~plutarch/malfy.html

English, Part II

[Ancient_Hacker]

That should be "affected", not "effected". There's a difference.

Re:English, Part II

People generally don't know the difference anymore what with the trendy misuse of the word impact used so often. I see "This will impact the schedule" in an email at least once a day. As you can guess I work with a bunch of government dependant twits.

19,000 customers EFFECTED?!?!?!?

[ZeusAndHades]

So someone hacks a server and 19,000 new customers are created as a result? HOLY CRAP! YOUR RETARDED!

Re:19,000 customers EFFECTED?!?!?!?

So someone make a dickish comment about using the wrong word and then uses the wrong 'YOUR'. HOLY CRAP! YOU'RE RETARDED!

Re:19,000 customers EFFECTED?!?!?!?

>HOLY CRAP! YOUR RETARDED!

The irony is so delicious, it HAS to be fattening!

NSA hard at work

[MECC]

Maybe it was the NSA.

Re:NSA hard at work

[johnnytv]

Online writer Wayne Madsen http://www.waynemadsenreport.com/Datathefts.php has been keeping track of the recent upsurge in data thefts. He believes it's a covert program and not just some garden variety criminals.

No copyright

[PetriBORG]

I know you mean this as a joke, so this isn't directed at the poster really. Still I have to worry that some people might actually believe what you just wrote there. The only thing on a SS-card or a credit card might be the artwork, everything else has no copyright.

And the fact that these people had their ID stolen is extremely sad. Everytime I get an ad in the mail from my bank wanting me to buy id-theift protection I want to call them and ask about racketeering... Have these people zero liability when they lose my data? How can that be so? It makes no sesne. If the RIAA sues me for pirating music yet I cannot expect compensation from AT&T or Citibank or whoever lost my info yet again and thus resulted in my identity being stolen.

What we need is a universal ID, not one that olds my bio-data and crap that can only hurt me, but a public/private encryption key pair which can be used to encrypt transations and force the company to store my data in a personal encryption locker. One that can be used to lock my vote in and prevent alteration by Diebold or whatever moster that comes next. One that is for the people by the people (aka open source) and scrutable by others for security problems.

Re:No copyright

[bsartist]

The only thing on a SS-card or a credit card might be the artwork, everything else has no copyright.

I used the term "principle" for a reason. The principle I'm referring to is control. The legal technicalities are different - which is why I specifically did not refer to them. But the principle is the same: the right of a person to control and/or limit the distribution of specific bits of information. To demand that right for one's self while at the same time trying to deny it to others is hypocrisy, plain and simple.

Cable companies?

[SCHecklerX]

With the stupid ads that the cable companies has been running lately, I'm wondering if they hired someone to do this.

See there is the problem...

[Tran]

The credit card information for purchases is not supposed to be stored according to what I have been told. That is why I never ever let companies have access to my bank account or credit cards for recurring charges. I pay recurring charges electroncically from the bank. I think that letting companies take money automatically from one's own account is rather risky since the companies would need to store that info. These breaches certainly don't allay that fear. It is true, the bank's security could be breached as well, but at least there is only one place from where information can be taken rather than 10's of places.

Re:See there is the problem...

Your policy of not having companies automatically deduct from your accounts is a little paranoid, but probably not a half bad idea. That being said, I just wanted to let you know that anytime you pay with a check, have a company deduct from you bank account, or even have your bank make the payment to a company on your behalf, your information is still seen by both sides. Also, it is perfectly legal for any company you have authorized a payment to to keep a record of the transaction. They're not allowed to store the 3 or 4 digit Security Code on the back of your card; but everything else is fair game.

What really matters

[IamWhoIam]

Is the fact that AT&T, who spends more on network security than the gross national income for a lot of countries was compromised, and confidential information was stolen. It doesn't matter how their multi layered defenses got breached, what does matter is they did get breached. The lesson here is IF they can be breached who can't??

Scope Creeps

[Doc+Ruby]

Corporations should not be allowed to store personal info longer than the duration of the transaction, or transmit it outside the scope of the transaction. AT&T should be prosecuted for liability, including lifetime exposure to ID fraud. AT&T security and policy managers and directors should hold personal liability, piercing the corporate liability veil.

Then we'd see American corporations rush to rewire their databases to protect customers, instead of protecting their advantages in charging and marketing to us, and the risk that their few bucks benefit will destroy our lives.

Re:Scope Creeps

[Em+Adespoton]

This all sounds well and good... but the costs of all these upgrades would get passed on to the consumer. The end result would be that nobody would be stealing your identity/datamining your soul, but it wouldn't really matter because 1/3 of the things you use your identity for would no longer be available, and 1/3 of them would no longer be acessible to YOU. Convenience and security are at opposite ends of a sliding scale.

Re:Scope Creeps

[Doc+Ruby]

They might try to pass their costs to the consumer. But that's a problem with competition in the telco cartels. Which is being solved by tech innovation and legal requirements to force open access to telecom subscriber networks.

If AT&T was found liable for these exposures to probably 500K subscribers the past few years at $5K each cost for protection, that's $2.5B. They might try to pass the cost on to all their subscribers, but they'd find subscribers dropping and switching to competitors. While it probably costs maybe a few $million to upgrade their practices and SW to reduce liability.

With competition, these telcos would first see their profits shrink, then reinvest in upgrades. That's how real market economics works, especially when the market's operation is protected by competition assurance and service standards.

Anyone Know the Details?

Anyone on /. know the details of this?

Was this an injection attack? Application server vulnerability? Secret page? Worm? Some of us would like to know how this happened, and none of the news stories are blabbing.

I got hit by this one

I'm one of the folks whose information was stolen. I discovered this not by AT&T informing me, but by the phishing attempt I received via email. The email claimed they couldn't access my bank account to pay for my order, and directed me to what appeared to be the ordering site. Since they had the actual order number, I didn't think anything was amiss (other than another company screw up asking me to pay for an order I'd already paid for), and clicked the link.

I was surprised to be prompted to enter my birthdate and SSN. Which, of course, I did not do. It was also suspicious that all the images were not loading. That's when I noticed the link I'd clicked was not sbcdslstore.com, but sbcdslstore.org. They'd set up a phishing site, linking back to the images on the real sbcdslstore site. (SBC became AT&T, and the company was still using the old site I'd imagine.) At least by shutting down their site, AT&T made the phishing attempt much more obvious.

The ironic thing for me is that I'm not even an AT&T customer. A friend of mine who does use their DSL service moved recently, and lost the AC/DC adapter for their DSL model somehow in the move. Since they didn't have internet, I was nice and ordered a replacement adapter for them. Another good deed punished. Oh well, I was thinking of changing banks anyway.

I think you'll understand why I'm posting anonymous.

Re:I got hit by this one

[kalirion]

Um, who the hell is marking this flamebait? AT&T employees? The phishers? I'm really at a loss here. And yes, I realize I'll probably be modded down as "flamebait" or "troll" or something.

Truly ironic

*whoosh*

Hey, what's that flying over your head?

Re:Truly ironic

[Ms.Maus]

Lasers, obviously.

kids these days

"effect", transitive verb: to bring about, accomplish, cause to happen.
"impact", transitive verb: to crush, collide with.
"affect", transitive verb: to act upon, bring about a change in.

Which verb should be used in the two examples above?

Re:kids these days

[Athenais]

"screw", transitive verb: to defeat with trickery or deception, to place in a situation impossible to escape

they should do more to protect the customers.

[awss82]

After the customers got affected then only they offer the monitoring service. So shocking they should add the feature long time ago..

torrent

torrent?

Where there's smoke

[cyberbian]

there's fire.

This is small time compared to the egregious breach of privacy experienced by nearly everyone with AT&T's complicity with the NSA's illegal splitting operations in San Francisco and elsewhere. AT&T is at it again time for more anti-trust remedies.

Re:Where there's smoke

[King_TJ]

Huh? The responsibility for that illegal operation should rest squarely on the shoulders of the current presidential administration. You can't reasonably expect any company in AT&T's position not to comply with something like that - no matter how evil the request is.

Ultimately, they're put betweewn "a rock and a hard place" because they have no immediate legal recourse for a demand placed on them from the highest level of government. They're already govt. regulated as it is - and failure to comply with such an order could effectively put a freeze on their ability to do business at all.

I think their smartest business move was to just go along with things, but not to interfere when it gets challenged in court either. This is between the govt. and the people, with AT&T getting drug into the middle of things because they owned the technology that needed to be tapped into to make the spying plans work.

Re:Where there's smoke

[cyberbian]

While I would agree in principle, I feel that the example set by Google begs to differ on how to handle unreasonable requests from the Government. In light of the terms and conditions of service, they are being held accountable for their involvement and/or complicity in this illegal search and seizure method. You'll note that the EFF lawsuit is v. AT&T not v. NSA. We all know there's 'No Such Agency' after all.

Re:Why did ATT allow the possibility?

[hauntingthunder]

why wasn't the data encrypted

Why go to all the trouble break in?

[kasparov]

Hell, they probably could have just *asked* for the information and AT&T would have handed it over...

At this rate...

At this rate we should just go ahead and release EVERYBODY's indentities.

any info on how they broke in ?

Any more technical info on just how exactly they broke in?

Who modded the troll up?

[phorm]

Seriously, that is disgusting. The article is completely unrelated to filesharing, and focusses on poor security. It also overlooks that the "information wants to be free" zealot crowd aren't necessarily the same as those in the information-security crowd. Either crowd also tends to be happy when somebody is nailed for trying to sell copied articles.

Copyright won't protect your personal information in any way. So perhaps you should go troll an RIAA article now. Perhaps if there's an article about how a filesharer with 1000 copyrighted songs had his personal info distributed by a p2p virus you can happily troll away. In the meanwhile, I think your name of "BS artist" pretty much fits.

Not all information wants to be free. Wanting to have free (as in choice) software is different from wanting my personal credit info out in the wild, or having a glass-toilet in a glass-bathroom.

Re:Who modded the troll up?

[bsartist]

It also overlooks that the "information wants to be free" zealot crowd aren't necessarily the same

What crowd? The "copying a CD is not a crime" quote was exactly that - a direct copy-and-paste quote from an earlier post made by the person I replied to. I wasn't referring to any mythical "crowd", I was referring to two contradictory (IMHO) statements that were made by the same person.

You might also want to look up the definition of the term "troll" - it doesn't mean what you think it means. It isn't anyone whose opinion you happen to disagree with. A troll makes statements that don't reflect its real opinion, because it's fishing (ask any fisherman what "trolling" is) for flames in response. I didn't do that. My intent is to point out the hypocrisy in an attitude that demands respect for one's own rights, while at the same time refusing to respect the rights of others.

Really?

[phorm]

Sorry, but these companies need online presence to offer the services they do. This implies a measured security risk, at which point your points of failure include:

Employees (or ex employees)
The software (and/or software creator)
The operating system (and/or OS creator)

and millions of points in-between. People want the convenience of credit cards and online access, unfortunately there is no foolproof security for this. For ever better vault, a better thief will emerge.

No no no NO NO no... and N-O!

[scovetta]

No!!!

1. MD5 is weak/broken. No MD5. Erase it from your vocabulary. Replace it with SHA-256 or better.
2. How many SSNs are there? At max, 1 billion (assuming they go 000-00-0000 to 999-99-9999). A reverse lookup directory of 1 billion 256-bit hashes would take around 36 gigabytes of disk space (if my math is correct).
3. If you add salt to it, then the salt becomes a secret key to the routine. Lose that key, and someone can re-create the lookup in a matter of hours (minutes?).

Really, you want to just create a unique identifier that doesn't mean anything else. SSN should be in a secured table somewhere ELSE that you'd join to if you needed it. Even better, SSN should be reserved for government use ONLY, but that's anotehr story.

Looks like I was on that list

[killermookie]

This email contains important information that requires your immediate
attention. Please do not reply to this e-mail; instead please use the
telephone number provided below if you wish to contact us.

You previously placed an order with AT&T for DSL-related equipment
through the http://www.sbcdslstore.com/ Website, at which time you
provided certain information including your name, address, e-mail
address, phone number, credit card number and credit card expiration.
(This information did not include your Social Security Number, Driver's
License Number, date of birth, or other identifying information.) AT&T
has learned that a computer containing the information you provided has
been accessed by an unauthorized person, who may have obtained this
information about you.

In addition, AT&T also believes that some customers who purchased
DSL-related equipment from us through this same website may be receiving
e-mails that appear to be from AT&T, but actually are being generated by
an unauthorized third-party (a practice known as "phishing"). These
e-mails refer to your prior order with AT&T and request that you
provide additional personal information such as your Social Security
Number, date of birth, or another credit card number and expiration date.
Please be advised that these e-mails are not being sent by AT&T and are not
legitimate. Do not respond to these e-mails or otherwise provide any of your
personal information in response or at any Website to which the e-mail may
refer you.
We sincerely regret that a third party was able to gain improper access
to your order information and we are working diligently with law enforcement
and major credit card companies to limit your potential exposure. Although
your 3-digit credit card verification number (from the back of your card)
was not stored, and therefore not accessed, we strongly suggest that you
contact your credit card company directly to report this suspected incident
and to protect the credit card you used to purchase this equipment from any
unauthorized activity.

In addition, we suggest that you contact the fraud departments of any one of
the three major credit-reporting agencies and let them know you may be a
potential victim of identity theft. That agency will notify the other two.
Through that process, a "fraud alert" will automatically be placed in each
of your three credit reports to notify creditors not to issue new credit in
your name without gaining your permission. For your convenience, we have
included contact information for all three credit reporting agencies:

Equifax
P.O. Box 740241
Atlanta GA 30374
To report fraud: 1-888-766-0008
Website: http://www.equifax.com/

Experian
P.O. Box 2002
Allen, TX 75013
To Report Fraud: 1-888-397-3742
Website: http://www.experian.com/

TransUnion
Post Office Box 6790
Fullerton, CA 92834
To Report Fraud: 1-800-680-7289
Website: http://www.transunion.com/

Lastly, to provide further security, AT&T is arranging to provide you the
option of enrolling for one year, at no cost to you, in a credit monitoring
service specifically designed to notify you of changes to your credit report
activity in order to detect fraudulent bank or credit card use. The service
will be provided by one of the major credit reporting agencies. We will
provide specific information on this option as part of a letter you will
receive via U.S. Mail in the next few days.

Again, we regret this unauthorized and unlawful access to your order
information and are working with law enforcement to pursue those who
are responsible. We are also reviewing applicable security procedures
in an effort to prevent an incident like this from recurring. Should yo

Re:Looks like I was on that list

[killermookie]

The sad part is that I dropped AT&T (it was SBC at the time) as my DSL provider and switched to Speakeasy several months ago.

Althought, switching to Speakeasy was the happy part.

Future transcript

[Eil]

AT&T Call Center Operator: Sir, may I ask you why you're choosing to cancel your service with us today?

Me: Well, let's see, first there was that whole Internet tapping thing.

AT&T: I'm not sure which Internet tapping situation you're referring to...

Me: GOOD GOD, THERE'S MORE THAN ONE?! Hold on, let me pull up my blog!

AT&T: No, sir, I meant I'm not personally aware of any Internet tapping. I assure you that AT&T values your privacy...

Me: And then you cooperated with the NSA in their illegal domestic spying project.

AT&T: While I can't offer any comments on that, I'd just like to state that your privacy is our first concern...

Me: Then you wouldn't mind explaning how just last weekend, you let slip the personal information of over 19,000 customers?

AT&T: Sir, I assure that incidents like this are very...

Me: STRIKE THREE, YOU'RE OUT! *click*

Good enough

[phorm]

a direct copy-and-paste quote from an earlier post made by the person I replied to

An early post not related to the article-at-hand.

Aside from that, you're talking about the 'rights of others' in reference to corporate ip holders, which insinuates that corporations are entitled to the same rights as private individuals.

But if you want to go back over old different-topic comments made... perhaps I can browse all recent flameish and offtopic moderations you've accumulated recently:

Offtopic
Flamebait
Flamebait
Offtopic

Sometime's a troll is just somebody who's natural inclination is to take an adversarial view or approach. That approach might be their opinion proper, because said person has a combative personality. Personally, if you're going to attack somebody on past comments in other subjects, perhaps you'd be better to send him/her an email rather than wasting our time.

Thanks! very informative!

Why did I have to read Slashdot postings to get the number, I'll never know. What ever happened to good journalism?