AT&T Show How Not to Handle a Data Breach

There’s an ongoing argument in barrooms, pubs and wherever else soccer fans gather about who is the best player in the world. The general consensus right now is Lionel Messi, the Argentinian genius, but others can build a case for Wayne Rooney, Didier Drogba or even Cristiano Ronaldo. A similar discussion often breaks out among security professionals about which vendor currently is wearing the goat’s horns, and while Adobe has topped the list of late, AT&T, a late entrant, is gunning for that number one spot right now.

There’s an ongoing argument in barrooms, pubs and wherever else soccer fans gather about who is the best player in the world. The general consensus right now is Lionel Messi, the Argentinian genius, but others can build a case for Wayne Rooney, Didier Drogba or even Cristiano Ronaldo. A similar discussion often breaks out among security professionals about which vendor currently is wearing the goat’s horns, and while Adobe has topped the list of late, AT&T, a late entrant, is gunning for that number one spot right now.

The evidence here is the mess that’s come from the exposure of personal data belonging to more than 100,000 iPad buyers. The attack, which was disclosed last week, exploited a vulnerability in AT&T’s Web site and enabled hackers to obtain the email addresses of the people who bought specific iPads. In terms of security breaches, this is not the end of the world. Email addresses are sold by the hundreds of thousands every day by spammers and phishing gangs, and it doesn’t look like there’s any easy way for the attackers to match the emails to buyers’ other personal information.

The real problem is AT&T’s response to the iPad breach. Instead of issuing a mea cupla and pledging to do better, AT&T essentially deflected all the blame to the attackers. It’s the corporate version of the Some Other Dude Did it Defense. In an email statement about the iPad breach, AT&T takes little responsibility for the incident. From the email sent by AT&T’s Dorothy Attwood:

The hackers deliberately went to great efforts with a random program
to extract possible ICC-IDs and capture customer e-mail addresses. They
then put together a list of these e-mails and distributed it for their
own publicity.

As soon as we became aware of this situation, we took swift action to
prevent any further unauthorized exposure of customer email addresses.
Within hours, AT&T disabled the mechanism that automatically
populated the e-mail address. Now, the authentication page log-in screen
requires the user to enter both their e-mail address and their
password.

I want to assure you that the e-mail address and ICC-ID were the only
information that was accessible. Your password, account information,
the contents of your e-mail, and any other personal information were
never at risk.

Stop it. Just stop it. Very few customers care a whit about the gory details of the attack. They couldn’t care less whether the “malicious hackers” used some insanely creative tactic that would make Mark Dowd’s head spin or whether they just found a list of email addresses in a Dumpster. What they care about is the outcome, and the outcome here is a Dumpster fire.

[block:block=47]
It’s all well and good that AT&T identified the problem and fixed it. That’s a given. It should not be the meat of your press release. It should be the last paragraph, following a detailed apology and a promise to do better. Many people in the security and privacy communities have been sharply critical of AT&T for its response, and rightly so. This is precisely how not to respond to an incident like this.

The standard on responses to attacks has been set by organizations such as the Apache Software Foundation, whose main site was compromised last summer. Apache was entirely open and honest about the attack and gave as much detail as it had on hand. That’s the model that AT&T and other organizations that find themselves in these embarrassing situations should follow. It may be painful in the short term, but it’s the best way forward.

Suggested articles

Threatpost News Wrap, June 9, 2017

How EternalBlue was ported to Windows 10, a Facebook phishing study, QakBot, and this week’s Apple security announcements are all discussed.

Discussion

  • Janice Taylor-Gaines on

    This is a GREAT article despite the dismay of the breach.  In David Scott’s words, everyone needs to be a mini-Security Officer today.  I think Mr. Scott, the author, is right:  Most individuals and organizations enjoy Security largely as a matter of luck.  For some free insight check out his blog, “The Business-Technology Weave” – you can Google to it.  Anyone else here reading I.T. WARS?  It reflects much of what is said  here.   I had to read parts of this book as part of my employee orientation at a new job.  The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors.  It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on.  Just Google IT WARS – check out a couple links down and read the interview with the author David Scott at Boston’s Business Forum. (Full title is I.T. WARS:  Managing the Business-Technology Weave in the New Millennium).  “In the realm of risk, unmanaged possibilities become probabilities.”  Keep “security” front and center!  Great stuff.

  • WareZwolF on

    LOL @ AT&T! They are also great at stealing from customers and extortion by credit rating. Not to mention many fond it easier to pay rather than spend over an hour on the phone only to have them do exactly none of what they claim they would do to fix thier errors. They deserve what they get.

  • Just One Thought... on

    Gotta love at&t..I'm lolrotf in so many ways !!!Please someone,anyone...how does "random" happen to over 100,000 people !!!  WareZwolf is so right... What goes around...will come around.

  • Mark Kerzner on

    "Mea culpa," not "mea cupla" :)

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.