Computer hackers stole the credit card information and some personal data of approximately 19,000 customers who purchased DSL equipment via AT&T’s online store. Subscribers to its service, though, were not affected.
The theft occurred over the weekend, AT&T said, and is currently under investigation by authorities.
The company is offering to pay for credit monitoring services for customers who were affected by the security breach.
“We recognize that there is an active market for illegally obtained personal information. We are committed to both protecting our customers’ privacy and to weeding out and punishing the violators,” said Priscilla Hill-Ardoin, AT&T’s chief privacy officer.
Eroding Trust
Companies have been separated from their customers’ data in a myriad of ways over the last few years. Some organizations have lost data when laptops containing identifying information were lost or stolen. Other firms — most notably data broker Choicepoint — have been duped into handing over customer data; in Choicepoint’s case, customer data was actually faxed to identity thieves posing as clients.
Hack attacks, such as the one against AT&T, are particulary worrisome because often in these cases, even if the company does everything right, its systems may still be vulnerable.
As a result, there has been an erosion of trust by consumers in e-commerce transactions, fueled in part by incidents such as these.
“Stories like this make the public a little wary of conducting business online,” Ron O’Brien, senior security consultant for Sophos, told TechNewsWorld. “At the same time though, it is a wake-up call for the vendor to make sure its method of collecting data is completely secure.”
By and large, however, e-commerce is safe, he remarked. “The economy is such that it now depends on consumers being able to conduct transactions online.”
That said, certain practices on the part of the vendor can maintain trust with the consumer even when attacks happen, he noted.
Best Practices
For starters, notification by vendors is key. Many companies are obliged to notify customers when their data has been potentially compromised thanks to strict consumer laws passed in many states, most notably California. There is a movement underfoot in Congress, though, to give companies greater discretion as to the circumstances in which they must notify consumers.
This is a mistake, according to O’Brien. “There needs to be trust by consumers in their vendors,” he said.
Another goodwill gesture on the part of vendors that is rapidly reaching the status of best practice is to offer free credit monitoring services to customers that are affected by a breach, as AT&T has done in this case.