Federal authorities unsealed a 22-count indictment last week that serves as a prime example of the challenges of managing and securing third-party access to corporate networks.
According to the U.S. Department of Justice, eight people in Florida have been charged in connection with the theft of information on customers of AT&T. The indictment names: Chouman Emily Syrilien, 25, of Lauderdale Lakes; Arrington Basil Segu, 28, of Miami; Carlos Antonio Alexander, 24, of Orlando; Angel Arcos, 23, of Pompano Beach; Shantegra La’Shae Godfrey, 23, of Deerfield Beach; and Monique Smith, 31, of Pompano Beach as conspirators in the case.
According to the charges, Syrilien was an employee of Interactive Response Technologies (IRT), which provides staffing for call centers to handle direct sales and customer inquiries for AT&T. The indictment alleges that Syrilien provided a co-conspirator with personal identifying information from multiple AT&T customer files, as did Segu.
The criminals added Alexander, Godfrey and Smith as 'authorized users' on victims’ credit or debit card accounts. Once a co-conspirator’s name was added as an authorized user, the bank and or credit card company was directed to mail additional debit or credit cards bearing the names of these newly-added authorized users to their addresses or addresses under their control.
According to authorities, the defendants then used these credit and debit cards to make purchases or obtain money. Alexander, Smith and Godfrey are each accused of making both retail purchases as well as cash advances in excess of $24,000, $12,000 and $8,200, respectively.
"Keeping a close eye on who has access to what is a seriously difficult undertaking, and fully vetting and monitoring all staff requiring access to personal info is likely to be all but impossible, even when all those staff are in-house," blogged John Hawes on Sophos' Naked Security blog.
"Firms that entrust data to third parties need to ensure that assurances they receive regarding auditing and vetting are backed up by concrete evidence that their data is properly secured," he added.
If convicted, the defendants each face a maximum of 30 years in prison for the conspiracy charge, a maximum of 10 years in prison for the access device fraud charge and a mandatory term of two years in prison for each aggravated identity theft charge - at least one of which must be served consecutive to any other term in prison.