AT&T has just confirmed that for two weeks in April it was hacked by someone who used his or her position as an employee of a third party vendor that works with AT&T to gain access to personal information of AT&T customers. Included in the information stolen were Social Security numbers and birth dates, both of which are critical pieces of information that can be used by hackers for purposes of identity theft. AT&T is providing a free year of credit monitoring to those affected by the data breach. Although the breach occurred in April, AT&T is only now notifying the public of the data breach. Affected AT&T customers are receiving notification from AT&T.
This latest data breach brings up many issues including the need for a national standard for companies to publicly disclose data breaches in a timely fashion. It also brings up the issue of why AT&T, like so many companies stores personal information for which it has no use. While customers’ birth dates and Social Security numbers are necessary for companies to do credit checks prior to providing a service, once the credit check has been done, the companies have no reason to continue to store this information. Additionally, as we saw with the hacking of Target and now AT&T, where large companies are hacked through third party companies with which they do business, companies must do a better job of limiting the access of third party vendors with which they do business from having access to sensitive information totally unrelated to the services provided by the third party vendors.
As for us consumers, there is little that we can do other than to be vigilant in monitoring our accounts for identity theft and limiting the providing of personal information to the companies with which we do business as much as possible.