AT&T Accidentally Exposes Billing Information, Addresses of iPhone 4 Buyers
June 16, 2010
Security is a lot like combating illness — sometimes you have a relatively minor issue that affects many people, other times you have a major issue that only affects a few. AT&T’s iPad email leak and its ramifications were bad enough, but AT&T’s latest breach appears to be even worse.
This morning the iPhone 4 preorder process was having some serious denial of service issues thanks to a deluge of customers looking to order the hot new phone from Apple. But AT&T’s servers didn’t just deny service to some — they also apparently started doing some naughty things as well.
Several customers have written reporting that they logged in to their AT&T accounts, only to enter another user’s account. Full information, including bills, phone numbers, possible credit card information, addresses, and more greeted them according to growing reports over at Gizmodo.
This nightmarish scenario, appears only to be affecting a few of AT&T’s subscribers, but for those impacted it could lead to some very serious problems, should the info fall into the hands of someone who might be tempted to abuse it.
One user, John King, describes:
I LOGGED IN AS ME AND IT BROUGHT UP A MARY ???? BIG PROBLEMA tech at one of AT&T’s contractors reveals an untested security update rolled out to servers over the weekend may be to blame. They write:
I work at a 3rd party order processing facility—what AT&T refers to as a 3CC. We process business-to-business, business-to-customer Wireline Indirect, and ACME/PAC (what AT&T calls their iPhone program internally). Agents use AT&T programs called Phoenix, Telegence, Compass, Ordertrack and myCSP to process orders.
Over the weekend there was a major fraud update that went down on all of AT&T’s systems, from Saturday overnight to Sunday early morning. All systems were down and agents were unable to use any systems.
The issues people are seeing at AT&T stores and online are most likely related to this update that went wrong.
I do know that there was absolutely NO TESTING of this system done before the launch of the new iPhone. I know it’s just heresay at this point, but I can confirm that there was a major outage over the weekend that impacted all ordering systems and programs, and I can confirm that there were multiple systems being upgraded/updated, with some updates being related to fraud.
At this point, I can say that the system that AT&T uses to send automated orders to be processed is as of this very moment down completely. Our facility is unable to process any orders by phone or by automation.
[Regarding the identity problem] Whenever we see people who are logging in and seeing other customer’s account info, it is an issue with the databases that contain customer information. Orders that contain any information like this can cross customer information, and cause a customer be able to see other accounts by logging out and logging back in. This means that when they log in a few times, it gives them different customer account info every time. It’s a rare occurrence, but it has happened in the past.
You might want to advise people to not get the upgrade at this point as it may be a doorway to a major privacy breach.
So apparently the advice from at least one source close to AT&T is pretty drastic — don’t order the iPhone 4, if you don’t want your credit cards and other info exposed. One can only shake there head in amazement at how AT&T let this happen after their iPad bungle last week.
Update 1: Tues. June 15, 2010 8:45 p.m.
We just received the following official statement from AT&T explaining their knowledge of the situation and what definitely has not been leaked. The statement is as follows:
We have received reports of customers inadvertently seeing the wrong account information during the iPhone 4 purchasing process. We have been unable to replicate the issue, but the information displayed did not include call-detail records, social security numbers, or credit card information. In the meantime, we are looking into this matter.
_© 2009, DailyTech.