Bad Things Come in Small Packages Too
In April of this year, it was announced that AT&T Inc. will pay $25 million to settle a Federal Communications Commission investigation over three data breaches that exposed the personal information of about 280,000 customers.
The violations happened at AT&T’s (NYSE: T) call centers in Mexico, Colombia, and the Philippines. The data breaches involved the unauthorized disclosure of customers’ names, full or partial Social Security numbers, and unauthorized access to protected account-related data, known as customer proprietary network information (CPNI).
The FCC said data breaches occurred when AT&T employees at the call centers accessed customer records without authorization. These employees accessed CPNI while gathering other personal information used to request handset unlock codes for AT&T mobile phones, and then provided that information to unauthorized third parties.
Firestorm President Jim Satterfield was surprised then, when yesterday a communication arrived from AT&T vendor C Space that carried its former Communispace branding [Communispace rebranded to C Space in June of this year] and contained a username and password to the AT&T Small Business Community Team.
The email read, in part:
“Welcome Jim Satterfield to AT&T where you will be joining the Small Business Community team. I hope you will enjoy it here as much as we will enjoy having you as part of the team.”
and contained user login credentials. About 3 hours later, Jim received another email reading:
“You may have received a “Welcome” email from[Communispace Email] today. This email was sent in error. Please be assured that your personal information is safe with us and has not been compromised due to this administrative error.
We apologize for the inconvenience and any confusion this may have caused. You can delete the email and disregard it.
We have taken measures to ensure that mistakes like this do not happen in the future.
If you have any questions or concerns, please contact [Communispace HelpDesk Email]“
Said Firestorm Managing Director Jack Healey: “Of the different types of breach, this is referred to as a ‘glitch’- the unintentional release of data. C Space most likely sent the request to the wrong group, or an unapproved group. It makes AT&T look bad, and in this climate of cyber breach probably created hundreds of hours of work to soothe the nerves of customers.”
While on the surface, this appears as a slight error related to AT&T’s Small Business Community, Jim also saw this as an example of how a small vendor can create problems for their larger client – especially in light of recent challenges AT&T has experienced; one might expect a higher level of due diligence. Jim explained:
“This event appears not to be a significant problem. The details will be known over time. This event does show that it is easy for a supplier to take actions that can immediately impact a company, release information, or cause a significant problem.
Note, that there was a 3-hour time difference from the initial email until the retraction email from the vendor. I assume there was a less than happy call from AT&T to C Space (formerly Communispace). Every company must continuously monitor for cyber-events.
These emails show the vendor had the AT&T customer’s name, username, email, password, and whatever profile information that the AT&T shared. The vendor’s name change could indicate that AT&T and their customer’s data could have changed hands without approval of AT&T.
This is why testing client cyber-security plans, cyber-crisis response plans, and cyber-crisis communications is critical.
The Firestorm® Intelligence Network monitoring empowers clients to listen, then look, and act appropriately.
Not all cyber-breaches, can be seen this quickly or publicly. The average cyber breach exists for over 240 days before discovery. Imagine the damage.
Are you ready? How do you know? Are you sure? These questions also apply all cyber-events.”
Join us all of this month as we explore Creating an Intelligence Network through our Monthly Webinar Series – You can view all sessions here
You can also view previous webinars and download briefs here