Data breaches are an all-too-common fact of modern life. They can’t always be avoided, but when a major company is hit, its customers have every right to be notified immediately. So why did AT&T Mobility take at least one month to notify its wireless customers that their personal data, including social security numbers and call records, had been exposed?
Plenty of reporters, including me, have asked the company to explain the delay. It hasn’t. The company now acknowledges that the breach occurred two months ago. It says it learned about the situation in May and eventually sent letters to the customers at risk.
The breach took place between April 9 and April 21, 2014, but wasn’t disclosed until last week in a filing with the California Public Utilities Commission. While AT&T wouldn't say how many customers were affected, state law requires such disclosures if an incident affects at least 500 customers in California.
Here’s what AT&T spokesman Mark Siegel said in a statement that was emailed to reporters:
"We recently learned that three employees of one of our vendors accessed some AT&T customer accounts without proper authorization," the company said in a statement...This is completely counter to the way we require our vendors to conduct business. We know our customers count on us and those who support our business to act with integrity and trust, and we take that very seriously. We have taken steps to help prevent this from happening again, we are notifying affected customers, and we have reported this matter to law enforcement," it said.
The company was a bit more forthcoming in the letter it mailed to customers. It said the breach was related to the codes used to unlock a cell phone and the associated services. Locked cell phones can only be used on the networks of the carriers that sell them; once unlocked, they can be used on any compatible network.
What steams me is the delay in notifying customers. The longer someone’s personal data is out there, the more opportunities there are for fraud. Most companies swallow their embarrassment and quickly notify customers.
P.F. Chang’s China Bistro, a popular chain restaurant, learned last Tuesday that its defenses had been breached, and by Friday the company had notified customers. As quick as that was, one of my colleagues had to deactivate a number of credit cards he’d used at the restaurant because bogus charges had already appeared on his accounts.
Seriously? P.F. Chang’s can handle a data breach better than one of the largest telecommunications companies in the world? Shame on you, AT&T. I simply don’t understand why the company waited so long. What’s more important than guarding the security of its customers? My advice: Don’t recycle the next piece of snail mail you get from AT&T until you read it.