News broke this week of a breach of AT&T customers’ data, the second event this year for the cellular provider. In an eerily similar method of stealing private information for the purpose of reusing it, an employee allegedly accessed sensitive data, this time of over 1,600 AT&T customers.

Phone data breachThe breach that took place earlier in the year involved “unlocking” smartphones in order to take them to any provider. In that event, several third party contractors to the company quite literally entered an AT&T store and used the computer system to look up and record the private information on a few hundred customers. The thieves needed the private information in order to override the protocols that make an individual phone specific to the AT&T network. Once the retrieved data is used to unlock the phone from AT&T’s cellular service, the phone can then be used on any provider’s network. This is what makes a stolen phone useful for resale, since it would otherwise have to be sold to an in-network customer.

The thieves had a batch of stolen phones—either that they had stolen themselves or that they were in connection with—and needed customers’ security information in order to unlock them. There hasn’t been any definitive word on whether the thieves then went on to sell that information for identity theft purposes, but AT&T provided a year of credit monitoring protection to the affected consumers to be safe.

Now, an AT&T employee has accessed the data of almost two thousand customers, despite the fact that the company hasn’t been able to determine why the employee looked at the information. It’s believed that the purpose was for identity theft, but that hasn’t been confirmed. What is known is the types of information were accessed, and it was enough identifying information—like Social Security numbers, birthdates, and driver’s license numbers—that AT&T has terminated the employee and is once again covering the costs of credit monitoring services for the affected customers.

Whenever a breach like this one occurs, industry watchers have to ask the same question: why do companies gather and store this kind of information on their customers?

In the case of a service provider like a cell phone company, a credit check may be required in order to initiate a contract, but there’s no reason for the company to continue to store the Social Security numbers, especially when some reports indicate that the majority of consumer data breaches are inside jobs involving the companies’ own employees.

Moreover, the question needs to be asked, “Why are employees able to access this information in the first place?” Even if a legitimate reason for gathering the data was found, why are all employees able to view customers’ secure data?

There are an unfortunately low number of steps consumers can take to minimize their risks in this situation. Those who receive letters from AT&T must take advantage of the free credit monitoring option and will need to keep a close watch on their credit reports to look for suspicious activity. Customers who are not affected, even those from a different cell phone provider, can attempt to contact the companies and have their Social Security numbers deleted from the system’s computers in order to avoid an employee-based or network hacking data breach; if that doesn’t work, prepaid cell phone services do not require Social Security numbers as they are not running a background check.

 

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.