Fair use for educational/research purposes only

AT&T flaw exposed customer data Glitch let small biz customers see other customers’ records By Bob Sullivan MSNBC Jan. 3 — A glitch in AT&T’s Web site has exposed billing and account information for thousands of small businesses, MSNBC.com has learned. The flaw allowed AT&T small business customers to view other customers’ account information. After receiving a call from MSNBC.com inquiring about the problem, AT&T disabled part of its Web site Tuesday afternoon to protect customer data. The site was repaired by Wednesday.

ABOUT 120,000 companies use AT&T’s “Small Business Center” Web site to track their telecommunications bills, according to spokesperson Paul La Plante, an AT&T spokesperson. Only existing customers who were logged into the AT&T system would have been able to exploit the flaw and see the exposed records.

A mischievous account holder could have viewed about six months’ worth of billing records for 120,000 companies, including individual phone call details, according to the company. On Tuesday, AT&T disabled some of the Web site’s functionality to prevent users from illicitly viewing customer data.

“We are not aware of any customers experiencing a problem related to this situation,” the company said in a statement. “Safeguarding customer information from unauthorized access is a top priority for us.” The company added that access to the data “was random in nature, so it was not possible, for example, for a business to learn information about a specific competitor.”

Company officials said the site was fixed and fully operational by Wednesday morning.

Frustrated AT&T small business user Tommy Dougherty, who works for a small central Virginia firm, brought the flaw to MSNBC.com’s attention. When checking his online bill statement recently, Dougherty discovered he could view other customers’ records. He now plans to cancel his AT&T service. “We would consider this information to be pretty confidential. We are in a competitive business. We would terminate an employee if they disclosed this information,” he said. Dougherty was particularly frustrated because he says AT&T essentially forced him and other small businesses to use that Web site recently by announcing it would no longer send out paper bills. “So everybody’s bill is on there whether they register or not,” he said. La Plante said customers can call the firm and request paper records. The company actually has about 5 million small business customers, but only those 120,000 who are part of the firm’s “interactive advantage” offering are in the Small Business Center database that’s connected to AT&T’s Web site.

Following Dougherty’s two-step instructions, MSNBC.com was able to view dozens of billing records from small companies around the United States and Canada. For example, several months of records were accessible for the Better Business Bureau of Charlotte, N.C., and the Assembly of God church in Saint Charles, Mo. It also appeared that MSNBC.com would have been able to add or cance telecommunications services for the companies, but AT&T disputes that.

Dougherty was critical of the AT&T’s programming error that led to flaw, suggesting the company is misleading users by telling them they are at a secure Web site. The Small Business Center does employ encryption to protect data from being stolen in transmission to AT&T. ”[Users] think they are on a secure server. That’s true, the data is getting encrypted between me and the company. But I’m looking at someone else’s data,” Dougherty said. According to a press release issued by AT&T, a redesigned version of the site was launched in June, incorporating “features and functionality in the easy-to-use manner customers have requested . . . For example, customers can order services, view and print account payment history, add new service lines or locations, and more.”

http://www.msnbc.com/news/510637.asp

-- Martin Thompson (mthom1927@aol.com), January 04, 2001