AT&T Breached, Exposes 19,000 Identities

← Back to Stories (view on slashdot.org)

AT&T Breached, Exposes 19,000 Identities

Posted by ryuzaki0 on Tuesday August 29, 2006 @09:21PM from the somewhat-worse-than-a-laptop dept.

mytrip writes to tell us News.com is reporting that a recent attack on AT&T's systems saw thousands of customers' personal data compromised. About 19,000 customers of AT&T's online store who purchased equipment for a DSL connection were affected. From the article: "AT&T is offering to pay for credit monitoring services for customers whose accounts have been impacted because they could be at risk of identity fraud. The company also has made available a toll-free number to affected customers to call for more information."

7 of 143 comments (clear)

Min score:

Reason:

Sort:

Only "thousands"? by KiloByte · 2006-08-29 21:29 · Score: 4, Interesting

thousands of customer's
Wait, so an one-time spill of the data of just mere thousands of customers (no "'") are suddenly news, and everyone forgets about ongoing constant spilling of the data of 299 millions? Interesting...

--
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Heck, frankly... by skids · 2006-08-29 22:54 · Score: 2, Interesting

I wouldn't even be so sure of that. Nowadays whenever I see any corporation saying they take responsibility for something, I immediately suspect another yesmen prank.

Now that may not be very likely, but if I were the yesmen, I'd be perched and waiting for another ID theft scandal, because nothing would be more meta than stealing the ID of a PR person handling an ID theft incident.

--
Someone had to do it.
This goes back to the original problem.. by saboola · 2006-08-29 23:11 · Score: 3, Interesting

You should not be able to do so much damage with a simple number and some extra data. It is ridiculous that armed with merely this amount of information one could cause so much damage. The system needs to be completely reworked.
Re:Steal identity? by russ1337 · 2006-08-30 00:04 · Score: 2, Interesting

That is why, when they ask for my SSN, i say "I don't have one"... They say "huh? *dumbest look on their face*" and I tell them "I was born overseas and do not have one... and you shouln't need it anyway....."... It usually works. I've nearly always had to pay a higher deposit ('cos they cant check my credit), but its a small price to pay to not give my SSN to the library / power company / phone company / old navy / lunchlady...
I got hit by this one by Anonymous Coward · 2006-08-30 01:40 · Score: 1, Interesting

I'm one of the folks whose information was stolen. I discovered this not by AT&T informing me, but by the phishing attempt I received via email. The email claimed they couldn't access my bank account to pay for my order, and directed me to what appeared to be the ordering site. Since they had the actual order number, I didn't think anything was amiss (other than another company screw up asking me to pay for an order I'd already paid for), and clicked the link.

I was surprised to be prompted to enter my birthdate and SSN. Which, of course, I did not do. It was also suspicious that all the images were not loading. That's when I noticed the link I'd clicked was not sbcdslstore.com, but sbcdslstore.org. They'd set up a phishing site, linking back to the images on the real sbcdslstore site. (SBC became AT&T, and the company was still using the old site I'd imagine.) At least by shutting down their site, AT&T made the phishing attempt much more obvious.

The ironic thing for me is that I'm not even an AT&T customer. A friend of mine who does use their DSL service moved recently, and lost the AC/DC adapter for their DSL model somehow in the move. Since they didn't have internet, I was nice and ordered a replacement adapter for them. Another good deed punished. Oh well, I was thinking of changing banks anyway.

I think you'll understand why I'm posting anonymous.
Re:Perhaps an appropriate punishment by Em+Adespoton · 2006-08-30 07:00 · Score: 2, Interesting

That would be fine if AT&T were the only company having these problems.
Has ANYONE set up a clearinghouse for these security breaches so I can keep an eye on where (not if) my private information is leaking?
Looks like I was on that list by killermookie · 2006-08-30 07:40 · Score: 4, Interesting

This email contains important information that requires your immediate
attention. Please do not reply to this e-mail; instead please use the
telephone number provided below if you wish to contact us.

You previously placed an order with AT&T for DSL-related equipment
through the http://www.sbcdslstore.com/ Website, at which time you
provided certain information including your name, address, e-mail
address, phone number, credit card number and credit card expiration.
(This information did not include your Social Security Number, Driver's
License Number, date of birth, or other identifying information.) AT&T
has learned that a computer containing the information you provided has
been accessed by an unauthorized person, who may have obtained this
information about you.

In addition, AT&T also believes that some customers who purchased
DSL-related equipment from us through this same website may be receiving
e-mails that appear to be from AT&T, but actually are being generated by
an unauthorized third-party (a practice known as "phishing"). These
e-mails refer to your prior order with AT&T and request that you
provide additional personal information such as your Social Security
Number, date of birth, or another credit card number and expiration date.
Please be advised that these e-mails are not being sent by AT&T and are not
legitimate. Do not respond to these e-mails or otherwise provide any of your
personal information in response or at any Website to which the e-mail may
refer you.
We sincerely regret that a third party was able to gain improper access
to your order information and we are working diligently with law enforcement
and major credit card companies to limit your potential exposure. Although
your 3-digit credit card verification number (from the back of your card)
was not stored, and therefore not accessed, we strongly suggest that you
contact your credit card company directly to report this suspected incident
and to protect the credit card you used to purchase this equipment from any
unauthorized activity.

In addition, we suggest that you contact the fraud departments of any one of
the three major credit-reporting agencies and let them know you may be a
potential victim of identity theft. That agency will notify the other two.
Through that process, a "fraud alert" will automatically be placed in each
of your three credit reports to notify creditors not to issue new credit in
your name without gaining your permission. For your convenience, we have
included contact information for all three credit reporting agencies:

Equifax
P.O. Box 740241
Atlanta GA 30374
To report fraud: 1-888-766-0008
Website: http://www.equifax.com/

Experian
P.O. Box 2002
Allen, TX 75013
To Report Fraud: 1-888-397-3742
Website: http://www.experian.com/

TransUnion
Post Office Box 6790
Fullerton, CA 92834
To Report Fraud: 1-800-680-7289
Website: http://www.transunion.com/

Lastly, to provide further security, AT&T is arranging to provide you the
option of enrolling for one year, at no cost to you, in a credit monitoring
service specifically designed to notify you of changes to your credit report
activity in order to detect fraudulent bank or credit card use. The service
will be provided by one of the major credit reporting agencies. We will
provide specific information on this option as part of a letter you will
receive via U.S. Mail in the next few days.

Again, we regret this unauthorized and unlawful access to your order
information and are working with law enforcement to pursue those who
are responsible. We are also reviewing applicable security procedures
in an effort to prevent an incident like this from recurring. Should yo