AT&T Wireless customer records found by good Samaritan
|
Date Reported:
5/25/10
Organization:
Ferrell Communication (defunct, no website)
AT&T
Contractor/Consultant/Branch:
Unknown
Location:
Jacksonville, Florida
Victims:
"AT&T cell phone customers"
Number Affected:
Unknown*
*The report claims that "hundreds of files" were discovered
Types of Data:
"personal information of AT&T cell phone customers, including credit card numbers, driver's licenses and Social Security numbers"
Breach Description:
Hundreds of files containing personal information belonging to AT&T cell phone customers were found in a residential recycle bin.
Reference URL:
WJXT Jacksonville Channel 4 News
Report Credit:
WJXT Jacksonville Channel 4 News, this news report was forwarded to us by an informed reader.
Response:
From the online source cited above:
Jessica Menendez got quite a surprise when she looked in her recycle bin.
Someone had dumped hundreds of files of people's personal information, and she had no idea where they came from.
The manila folders Menendez found contained personal information of AT&T cell phone customers, including credit card numbers, driver's licenses and Social Security numbers.
It appears the information was collected by another company called Ferrell Communication, which was located in a strip mall on Atlantic Boulevard.
[Evan] A quick Google search for "Ferrell Communication" brought up nothing. This place has been gone for quite some time.
The information is contracts for AT&T wireless service customers dating back to 1999 or 2000. The information is old, but could still be valid.
[Evan] Really? The driver's license and Social Security numbers are both certainly still valid!
Menendez said when she found the information, she was worried, so she called AT&T to let the company know.
[Evan] We need more good Samaritans like this in this world.
"AT&T gave me the run around. They looped me around back to their main menu several times," Menendez said. "I gave them my information and never heard back from them."
[Evan] Hard to believe?
AT&T told Channel 4's Jim Piggott it is very interested in how the information was dispensed there. The company said it goes against its policy, and it's reviewing how this happened.
[Evan] When the media calls, AT&T gets very interested all of the sudden. What does this tell you?
The company said it will hand the issue over to its security department. Meanwhile, Menendez took it a step further and notified the police.
"I would like to have an officer pick these up," she said.
AT&T released the following statement Tuesday afternoon:
"At this time, we continue to investigate the situation in conjunction with the local sheriff's office and have determined that these records originated from a dealer no longer associated with AT&T Wireless, a company we acquired in 2004.
[Evan] If I am reading this right, AT&T acquired Ferrell Communication in 2004. I assume then that AT&T bears the brunt of responsibility for the security of these records.
As information, AT&T requires that vendors acting on its behalf protect customer records and personal information. Vendors are required to keep customer information only as long as needed for business, tax or legal purposes, after which they are required to destroy it by making it unreadable or undecipherable. We take all matters related to security and privacy very seriously. At this time, AT&T has obtained the customer records in question and will dispose of them in accordance to our standard practice."
[Evan] Does this seem as though AT&T is passing some of the blame on to Ferrell Communication, or is it just me?
Commentary:
Personally, I have been through two major mergers/acquisitions. Both times, I was on the acquired side. When an organization acquires another business, it also acquires its assets (and often times liabilities). Generally speaking, a substantial amount of value, sometimes exceeding 80% of the total transaction, is found in the acquired company's intangible assets (information, knowledge, people, etc.). Following poor information security practices before, during, and after an acquisition of another company can easily devalue the acquisition to a point where the acquiring company losses money in the long term.
Anyway, back to this breach... Obviously AT&T and Ferrell Communication personnel should have done a much better job of securely discarding this information. Most companies have created and implemented a data destruction and reuse policy by now, but we rely on the people working with the information itself to follow requirements. There are many things we can do to improve security compliance, but I'm not going there right now (another date and time maybe).
Past Breaches:
Ferrell Communication:
Unknown
AT&T:
August, 2007 - AT&T Stolen Laptop, Unknown Number of Former Employees Affected
June, 2008 - AT&T management information on stolen laptop
Posted by Evan Francen at 5/28/2010 8:41 AM 
Categories: Ferrell Communication, Insecure Discard, ATT
Categories: Ferrell Communication, Insecure Discard, ATT
Posts Atom 1.0
Comments