Today Computerworld reported that hackers broke into AT&T’s systems over this past weekend.
"Malicious hackers broke into one of AT&T Inc.’s computer networks and stole credit card data and other personal information from several thousand customers who shopped at the telecommunication giant’s online store. AT&T said it was notifying "fewer than 19,000" customers whose data was accessed during the weekend break-in, which it said was detected within hours. The company said it immediately shut down the online store, notified credit card companies and was working with law enforcement agencies to track down the hackers. "We recognize that there is an active market for illegally obtained personal information," Priscilla Hill-Ardoin, AT&T’s chief privacy officer, said in a statement. "We will work closely with law enforcement to bring these data thieves to account," Hill-Ardoin said. AT&T said it would also pay for credit monitoring services to assist in protecting the customers involved. The data theft involved people who had bought DSL equipment for high-speed Internet access.""
It is refreshing to see that AT&T is not trying to downplay the potential seriousness of the incident.
Breach response actions they did right:
- Notified the impacted individuals quickly. They did not wait months to notify as most other companies have done in the past, such as Choicepoint and the Veteran’s Affairs agency.
- Did not sugar-coat the potential impact of what could be done with the data. They acknowledged that there are many fraudsters and criminals out there who make significantly large amounts of money selling personal information to other criminals.
- Did not say that the information had not been misused. Too many times companies try to shrug off the potential impact of the incident by saying that they do not believe stolen information had been used, or that there was no malicious intent by the unknown hacker, when in fact there is no way they could possibly know this.
- Is paying for credit monitoring for the 19,000 impacted individuals. Such credit monitoring, while not 100% effective, certainly will help the impacted individuals know if their data is being used for fraud in a large number of ways. More…actually all…businesses must accept responsibility for their security incidents and step up and pay for this monitoring for impacted individuals instead of telling the individuals they must pay for it themselves.
I’ll be interested to see follow-up information on this incident, if there is any.
Technorati Tags
information security
IT compliance
data breach
hacker
breach response
security incident
policies and procedures
awareness and training
privacy