On November 29 Judge Clarence Cooper of Atlanta’s U.S. District Court ordered that Tamarac, Fla.-based 1st Source Information Specialists Inc. and company principals Kenneth W. Gorman and Steven Schwartz disgorge all profits and pay Cingular Wireless compensatory and punitive damages and attorney fees totaling $1,135,000.
1st Source was harvesting cell phone numbers from web sites and doing reverse lookups for cellphone numbers and selling the information to other businesss for $110 to $195. To make things worse they were also selling records of the calls made from specific cell phone numbers; an additional huge invasion of privacy.

The Cingular complaint claimed the defendants “engage[d] in deceit, trickery and dishonesty to obtain private information from Cingular’s (customer service representatives) through ‘social engineering,’ improper hacking and/or through unauthorized access to online account information stored on Cingular’s database.”
The stated techniques included “instances of the defendants or their employees using customers’ passwords to access their accounts, pretending to be Cingular customers seeking information about their own accounts or posing as “fellow [Cingular] employees facing an urgent access problem in accessing a customer account.””
Social engineering is a tough threat to guard against, and is widely used. This case highlights the importance of training personnel on an ongoing basis for how to safeguard information, including how to prevent successful social engineering attempts.
Coincidentally Dr. Gary Hinson at NoticeBored issued his monthly newsletter a couple of days ago, the topic for which was social engineering. Dr. Hinson’s site has many great article on this topic; it is a good place to go to get ideas for your own awareness and training activities.
This case also shows that organizations, information security and privacy practitioners in particular, need to be diligent in knowing their company’s (likely marketing department’s) plans for harvesting data such as cell phone numbers and email addresses for marketing purposes. They must also check before purchasing customer contact lists to make sure the information they want to purchase was gathered legally and with the individuals’ consent.

Tags: awareness and training, data mining, Information Security, IT compliance, judgment, policies and procedures, privacy, social engineering

This entry was posted on Thursday, November 30th, 2006 at 6:45 pm and is filed under Privacy and Compliance. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.