AT&T is advising customers that a rogue employee illegally accessed their personal information.
In a breach notification letter sent to customers and the Vermont attorney general, AT&T explained the breach occurred in August. The employee responsible is no longer with the company.
According to the letter, the employee was able to view and may have accessed customer information ranging from social security numbers to driver’s license numbers. In addition, while accessing user accounts, the employee would have been able to view their Customer Proprietary Network Information (CPNI) without authorization. CPNI data is associated with services customers purchase from AT&T.
It is not clear how many customers were affected by the breach or if consumers in other states may have been involved.
“AT&T’s commitments to customer privacy and data security are top priorities, and we take those commitments seriously,” according to the letter.
“Simply stated, this is not the way we conduct business, and as a result, this individual no longer works here,” the letter notes.
AT&T is offering affected consumers a year of free credit monitoring, and said in the letter that any unauthorized changes that had been made to accounts would be reversed. The company has contacted federal law enforcement as well.
Earlier this year, employees of one of AT&T’s service providers accessed customer information without authorization as well. According to AT&T, the perpetrators in that case were trying to gather information that could be used to request codes to unlock AT&T mobile phones so that they could be used with other telecommunications providers.
“Insiders are worse than hackers because there’s no way to protect against them that’s truly effective,” opined Jonathan Sander, strategy and research officer for STEALTHbits Technologies. “If you need to do business, you need people to access information. If the wrong person or the person in the wrong frame of mind decides to use that access badly, what can you do?”
“This proves, yet again, that humans are the weakest link in any security plan,” he added. “It’s the old IT administrator joke about a system error called PEBKAC – Problem Exists Between Keyboard And Chair.”