AT&T Screws Its DSL Customers

It seems that AT&T left a vulnerability on one of their webservers that allowed hackers to peek inside its online database and steal credit card information on about 19,000 of its customers who purchased DSL routers at its online store.

From Reuters here:

Hackers broke into one of AT&T Inc.’s computer networks and stole credit card data and other personal information from several thousand customers who shopped at the telecommunication giant’s online store.

AT&T said it was notifying “fewer than 19,000” customers whose data was accessed during the weekend break-in, which it said was detected within hours.

The company said it immediately shut down the online store, notified credit card companies, and was working with law enforcement agencies to track down the hackers.

“We recognize that there is an active market for illegally obtained personal information,” Priscilla Hill-Ardoin, AT&T’s chief privacy officer, said in a statement.

“We will work closely with law enforcement to bring these data thieves to account,” Hill-Ardoin said.

AT&T said it would also pay for credit monitoring services to assist in protecting the customers involved. The data theft involved people who had bought DSL equipment for high-speed Internet access.

Out of all of these types of stories I have reported, this one is unique in that AT&T noticed the breach quickly and stopped the compromise in progress. They immediately turned to law enforcement to deal with the data theft. Also, the Privacy Officer is well-versed about the underground market dealing with stolen identities and credit cards.

While I criticize AT&T for having weaknesses in their public-facing infrastructure, I applaud AT&T for having a well-rehearsed plan to identify and eliminate the threat and to contact law enforcement in a short timespan.

More often than not, companies do not have such a plan or it has not been exercised to ensure that similar breaches are quickly and effectively contained.