Sues, Alleging Fraudulent Access to Customer Accounts
Ellen Nakashima, Staff Writer
Thursday, August 24, 2006
AT&T Corp. on Wednesday filed suit in federal court to
unmask and halt the actions of 25 people who allegedly posed
as customers to gain unauthorized online access to private
Some 2,500 customers' records were stolen, AT&T alleges in
its civil complaint. The affected customers have been
notified and access to their online accounts frozen, the
The AT&T case is but one example of a growing trend of data
theft for commercial gain, involving not only phone records
but bank, medical and other sensitive personal information.
The thieves are sometimes lumped into a category called data
brokers, which includes companies that legitimately gather
and market information.
AT&T, headquartered in San Antonio, where the suit was
filed, hopes to learn the defendants' identities through
their Internet protocol addresses. AT&T has "most if not
all" of the defendants' IP addresses and will ask the court
to subpoena the Internet providers to disclose the
identities linked to those addresses, spokesman Walt Sharp
Once the defendants are identified, AT&T wants them to
return all customer records, account for all profits
obtained by the theft and to compensate AT&T for the damages
"We're filing this lawsuit on behalf of our customers who
have been the target of data brokers, who have fraudulently
created accounts to obtain information," Sharp said.
The information is often used in legal or domestic disputes,
as when a private investigator is hired to find out who a
spouse suspected of straying may be calling.
Sharp said that of AT&T's total 48 million land lines, 2,500
defrauded accounts is a relatively small amount. "It's
very, very, very tiny," he said. "But we consider any too
Information security consultant Rob Douglas said 2,500
accounts is "the low end of what's stolen every day."
Thieves are after more than phone records, he said. "They
steal your cable TV records, your satellite TV records, your
gas and electric records and all the rest," said Douglas,
who edits Privacytoday.com, an information security Web
site. "Every interaction we have is being recorded
somewhere, and every minute thieves are working trying to
figure out how to gain access to that information and use it
for profit. That's what this demonstrates."
AT&T discovered the fraud in May through an ongoing internal
monitoring of customers' accounts, Sharp said. The company
has taken internal steps to prevent future occurrences, but
will not disclose them because to do so would tip off fraud
artists, he said.
The individuals gained access to the records by "pretexting"
or fooling AT&T's computer or interactive voice response
phone system into believing they were real customers. This
was done by providing the customer's telephone number and
the last four digits of the customer's Social Security
number or the three-digit customer code associated with the
customer's account, the complaint states. The defendants
also sometimes used "spoofing" software to make it appear
that they were calling from the customer's telephone, the
In each instance, the defendant entered an e-mail address to
be associated with the fraudulently established account, and
AT&T's computer servers logged the IP address of the
computer accessing the account.
In May, the Federal Trade Commission announced it had filed
civil complaints charging five Web sites with violating
federal law by obtaining and selling consumers' confidential
State and federal lawmakers are considering legislation to
criminalize fraud related to calling records.