AT&T may have been up front about the theft of customers' data, but it was less forthcoming about its fate, seemingly putting its own best interests ahead of customers'.
News sources widely covered the report this week that an AT&T Web site had been hacked over the weekend and the prepatrators had made off with the personal data of 19,000 users. The company stressed that the breach was noticed quickly, the site was shut down, the authorities were notified. It all seemed well in hand.
Turns out that the day AT&T let the media know about the theft -- last Tuesday -- it circulated an internal memo announcing that the data had already been put to use in an intricate phishing scam, according to reports. (Dave Lazarus at SFGate.com reports getting his hands on AT&T's internal memo.)
The hackers made good use of their data bounty. Sending out messages supposedly from "SBCdslstore.com," the phishermen informed recipients: "we recently tried to charge your credit card for your SBCdslstore.com order and it was rejected by the bank because it has no complete information."
"Each message included a legitimate order number culled from the AT&T vendor's database to create an illusion of authenticity. Messages also included the recipient's home address and the last four digits of his or her credit card number," Lazarus said.
AT&T claims it sent personal e-mails to those customers whose data had been swiped, alerting them to the risk. Real nice, guys. Sending such an important message to your customers via e-mail, which could easily be confused as spam or, hey, a phishing attempt, is simply irresponsible.
Rather, I think the company should have been forthcoming and let the media do its job in helping alert customers to what was happening to their data. Yes, it would have taken some lumps in the process, but now, I'd say it's in for a few more.
Also irksome: The hack of AT&T's Web site is yet another string of data thefts where a third party vendor dropped the security ball. (Others of recent note include the Dept. of Veteran Affairs and Chevron.) In this case, the breach occurred "not within AT&T's own system but at 'an AT&T vendor that operates an order processing computer' for the online DSL store," Lazarus writes.
The names of the vendor was not disclosed.
So vendors, in addition to being clear and honest with your customers about what's happened to their data, you need to hold your partners accountable when they make this kind of goof. This isn't the same as a partner delivering a late shipment due to a clerical error. We're talking about the credit history and privacy of real, live people. Your customers. The ones who keep your organization in business.
And never forget: Whether you're the CEO or the head of the mailroom, you could be next.