Friday, September 01, 2006

AT&T data breach worse than reported: elaborate phishing method employed

Over this past weekend, AT&T had a data breach, where nefarious types stole customer information. AT&T reported the incident.

However, they left out a key part of the story.

The thieves, after having gotten private information, concocted a rather elaborate phishing scheme where they emailed the customers with a message requesting more information (like SSN and birthdates).

AT&T told their employees about this part but failed to mention it publicly. I can understand why. However, embarrassment is not an excuse.

Thanks to somebody at AT&T, David Lazarus of the SF Chronicle got a copy of the memo that circulated within AT&T and published a rather illuminating story here.