Hacker Mitnick may sue AT&T over data breach

Kevin Mitnick

(Credit: Declan McCullagh/CBS Interactive)

After having his AT&T wireless account breached and his personal information posted on the Web, famed hacker Kevin Mitnick thought the least the cellular service provider could do was compensate him for his troubles.

Instead, the company informed Mitnick it plans to cancel his contract and not pay damages for the breach, he said. (His service was still working Thursday afternoon.) Now he may sue.

"AT&T wants me off their network because they can't secure my account, and after being a loyal customer for almost a decade I find that reprehensible," he told CNET News on Thursday. "It apparently is more cost effective to drop me than to secure their customer's information."

"My attorney is going to review my contract to see what, if any, restrictions are in my service agreement," he said. "I may file a lawsuit for invasion of privacy for the failure to adequately protect my information."

The irony is that he speculates that whoever is responsible for getting into his account used social engineering to do so. Mitnick spent five years in jail for breaking into computer networks, mostly using social engineering to get information out of insiders that enabled him to access their networks.

He describes such social engineering techniques in fictional stories in his book "The Art of Deception," including examples involving PacBell in which workers at retail stores reveal customer account details over the phone to someone they think works for the company.

"These guys probably read my book and decided to steal my information using social engineering because it is so easy," he said. "I told AT&T about this and they just ignored it."

"The bigger issue is that this ineffective security affects all AT&T customers," he said. "They need to start shoring up their defenses."

Mitnick learned in June that someone had posted his address, land and mobile phone numbers, PIN, e-mail address, instant messenger handles, and the last four digits of his Social Security number on the Web in March.

When he failed to get a response from AT&T after he complained, he called a lawyer who asked AT&T to pay an undisclosed amount for damages to his reputation and property rights, he said.

"We investigated Mr. Mitnick's claims and determined they were without any foundation," said AT&T spokeswoman Jenny Bridges. "We refused Mr. Mitnick's demands for money, but did offer to let him out of his contractual obligations so that he could find a carrier that he would be comfortable with."

Asked if Mitnick could keep AT&T as his provider, Bridges said she could not comment beyond that statement.

Mitnick's high-profile status makes him a celebrity among some hackers and a popular target for others. He's had his Web site hacked numerous times over the years, including twice in the past several months. He's even had trouble with Facebook after the social networking site disabled his account, believing him to be an impostor.

Most recently, Mitnick's site was among a group of security sites that were hacked and publicized on the eve of the Black Hat conference last month. As a result of the hacking, Mitnick was asked by his Web hosting provider, HostedHere.net, to find another place to host his site.

This isn't the first time Mitnick's AT&T account information apparently has been breached.

CNET News learned almost a year ago that someone had gotten access to Mitnick's mobile account while he was on a trip to Bogota, Colombia, but at the request of Mitnick at that time, agreed not to publish the information while the case was being investigated.

On his way to Colombia, during a stopover in Los Angeles, Mitnick received warning that his AT&T account would be breached with a social-engineering attack, he said in an instant message exchange in September 2008. He called AT&T with the details and asked it to take extra precautions to protect his account and require someone trying to change the account to provide the password verbally and not just the Social Security number, he said. Despite that effort, when he landed hours later, his password had been reset and the account was no longer in his control.

"I learn that these hackers (they called to warn me first) called an ATT Corporate store in Idaho (I have the rep's name) and she changed my e-mail address to what the hackers requested. So they just did a pw reset," he wrote in the IM exchange.

Asked about it in a follow up conversation months later, Mitnick said the matter had been resolved and declined to comment further.

That Colombia trip was noteworthy for Mitnick for other reasons. On his return, Mitnick was detained for four hours and his computer equipment inspected after he landed in the Atlanta airport for unknown reasons.

[gggg sssss]

ROTFLMAO

[Orion Blastar]

It wouldn't be that funny if it happened to you.

[Have-A-Nice-Day]

Kevin __ litigate - mitigate and WIN!

[Orion Blastar]

Not just Kevin Mitnick is at risk, but anyone else is at risk if an Internet service does not have precautions against social engineering. Social engineering is basically pretending to be someone else in order to gain access to an account or service.

For example someone can claim to be from XYZ Corp and call XYZ Corp and claim to be an Administrator and use all of the jargon and code words an Administrator for that company might use, and then get access to someone's password or ask to change the email address to one of their addresses and then just do a password reset.

Celebrities are most often targets of this sort of attack. Sarah Palin's email was hacked that way, as was Paris Hilton's mobile phone. But it doesn't have to be a celebrity who is the target it could be anyone.

Let's say you run a business and your competitors can claim to be you to get your business phone or email account switched off or changed. When I ran a business in 2000 someone pretended to be me and got my business phone and home phone switched off by saying he wanted to cancel my contract. After that I had to put a password on my account via the phone, and without someone giving the password they cannot pretend to be me anymore. In a way these social engineering scams are also identity thefts, in which someone steals another person's identity.

Kevin Mitnick did his jail time for his crime, but he revealed the secrets of social engineering and now he is a security consultant, as it takes one to catch one. I am sure he can give AT&T advice to help secure his account and get rid of social engineering scams, and it would also stop other people from getting their accounts taken over.

[Have-A-Nice-Day]

Revealed secrets of social engineering? "Social engineering" has been around since the first cave man traded a shiny rock for a slab of meat.

Precautions of Social engineering? ( rolls eyes) Right! A lowly paid corporate pee-on who makes $300 a year in the USA or grossly less if in the Philippines, Guam or India, Let's say you target and acquire a worker, become friends or not, and offer a months salary to the individual. How long and how many are your going to have to go through until you have succeeded in your goal?
________________________

Contrary to your beliefs and or opinions, there is no such thing as "security", there are only temporary placements of issue avoidance that can and will be compromised by the innate competitive human ability to achieve.

[Super2online]

@Have-A-Nice-Day I think you're forgeting that AT&T is required by public opinion to provide security whether they like it or not. The either or proposition here is that you either do it, or consumers will change providers. When enough of them do that, they start to get the picture.

Kevin isn't the issue, security of everyones personal information is, and the damage that can be caused when they believe they can ignore that responsibility. If what Kevin is saying is true, and can be proved, then I believe they should be held accountable.

The fact that he did the same to others isn't at issue. He was caught, and paid for what he did, now it's there turn.

[tektaktyks]

yea he should sue and win,can any att costumer sue for their lack of security ,knowing about it and not doing anything? ?is there a law that states that my information must be protecded by them? can we all sue?any lawyers here?hello?

[T_Hoff]

I guess it's OK when Kevin Mitnick does it to others, but it's not OK when it happens to him. Got it.

Suck it up, Kevin!

[monkeyfun14]

And he paid for it.

[krosafcheg]

No kidding. Kevin Mitnick steals peoples ID, social security numbers, credit card information. But when somebody does it to him, then he doesn't like it. Kevin Mitnick is not a nice person.

[billsoxs]

Let see about 4 years in jail is what I think he got. For the last 10 or so years he has worked the other side of the fence. The man paid his debt to society.

[PhaseDMA]

Anything this man has stolen from society he has given back ten fold.

Of course I would be upset if I was one of the people effected by his illegal acts, but I'm not, and your not so that is neither here nor there.

[jty12388]

Lets not all forget that Mitnick's crimes where not malicious. He did these things out of curiosity. People have received lesser punishment for murder.

And some people are missing the bigger picture here. It's not that HE got hacked, its that if he was hacked ANYONE could be hacked, and rather then fixing the problem they are choosing to ignore it. If your comfortable with that in today's society, you need to upgrade your bios.

[cvaldes1831]

What a great business model for a reformed hacker. Excellent job, Kevin!

[krosafcheg]

He isn't reformed. He's still hacking.

[cvaldes1831]

So his t-shirt makes him a liar, eh? Hope he wears that to court!

[JustinScientist]

What a great business model for a hacker. For all we know, he's still got the facade going. He probably hacked his own account and demanded money. Talk about a great business model.

[ITcomposer]

Um do any of you people realize his private life is well, no longer private, if this is the case any of the ATT users could probably suffer from this, so this is just the beginning, hmmm and to think i was going to drop my carrier for ATT, not anymore im not!

Sorry Att you won't get a penny out of me

[ITcomposer]

To KROSAFCHEG": the hacking he does is called ethical genius, he is a security consultant now, gees when will people get their fact straights, if i was ATT i'd hire him in a heartbeat

to: CVALDES: Um. read my post, and btw, this could be grounds for a class action lawsuit if it turns out the case ATT is not safeguarding their clients' identitiy/

[jwissick]

Remind me what this POS is out of prison again?

[Have-A-Nice-Day]

How about to protect the denizens of idiocracy.

[Dalkorian]

If you actually expect an intelligent response, you should first offer an intelligent and sensible question. I suggest either replacing "what" with "why", or inserting the word "doing" between "is" and "out".

That said, maybe he's out of prison because his crime wasn't severe enough to warrant the death penalty or life in prison. Maybe, just maybe, he's paid his price. Maybe, just maybe, the idea of our prison system is to reform the individual so they may be re-integrated back into society. Yeah, it doesn't usually work, but some argue that it appears to have in this case. Kevin isn't hacking people criminally anymore, he's now using his knowledge and skills to protect against criminal hackers.

Remind me what you are doing out of the third grade again?

[AstridAir]

What if the name was Elinor Mills, Brad Pitt or Joe Blow? The fact that he's been a target for whatever reasons doesn't let AT&T off the hook for not protecting privacy or escalating the level of security. Come on, the pw was changed at a store in ID? Unless that's in his neighboorhood, there should have been a lot of questions. Credit card companies raise all sorts of questions when charges are made in foreign countries, what the heck is wrong with AT&T having (multiple) confirmations on high profile or even problematic clients?

[Have-A-Nice-Day]

Elinor is an ultra-security-fox ..she can crack my accounts anyday, and I won't even tell on her...

Have-A-Nice-Day

[GoOwls]

I agree. If a murderer gets killed one might find it ironic or that the guy deserved it, but it does not mean that the killer should get off easy because his victim was hard to sympathize with. Letting the culprit off the hook puts regular folks in danger.

[n3td3v]

His t-shirt should read "I'm not a hacker i'm a script kiddie"

[pentest]

Jealous much?

[Internet-Lawyer]

That's karma. A lawsuit would be ridiculous. Can't blame ATT for dropping a hacker whose account has been hacked. As an <a href="http://www.web20lawyer.com">Internet Lawyer</a> i accept ATT's responsibility in maintaining our privacy. On the other hand, some accounts may be too difficult to protect.

[billd888]

What a cop out, AT&T should be protecting all customer accounts equally, no matter how difficult that is. Their failure to protect his information is a clear indication of how well they protect any of their customer's information. A lawsuit is certainly in order here and it has definite potential for a class action lawsuit.

[SecurityEngineer]

Thank you Internet-Lawyer!

Why is it that many people here fail to realize that AT&T, as well as most other companies that provide services to the public, have a need to maintain the security of their user's PRIVATE information? So, if someone were to call up AT&T customer support and manage to get the credit/debit card you used to pay your bill and then go on a spending spree, that is not AT&T's fault? YOU BET IT IS! Just look at what states like Massachusettes is attempting to do with their PII laws. As being married to someone who has had their identitiy stolen, I am extremely sensitive to this and it is the vendor's requirement to maintain security AT ALL LEVELS!

Let your data be stolen and NO MATTER WHAT you will be complaining to your service provider about how "they should have protected my information" and "how could they have let someone steal my data"...

WAKE UP! It is not Kevin's fault, or any security engineer's fault! It is the people out there in the world that think that security is a one time event. IT IS NOT! You must maintain a level of security appropriate to the data you are storing and maintaining.

[doubtthat]

How ironic. He spent years hacking and causing trouble and then cries like a baby when someone does it to him. He gets no pity from me.

I guess there is no honor among hackers. Maybe it is a big win in the hacking world to hack a hacker?

[donsms]

Any way we could exile this guy to Colombia?

[RighteousSoutherner]

What goes around comes around. This guy is a piece of work!

[gdmaclew]

Oh, I see.
So if a guy robs a bank, gets caught, gets convicted and serves his time in jail according to the laws of the land, he should no longer receive the protection of those same laws?
Do you not understand the concept of crime and punishment?
You do a crime, do your time and if someone does the same crime to you, he/she gets convicted and does their time.
Why is this such a hard concept for you to grasp?
You know what the problem is in today's society? People cannot put themselves in the "other guy's" shoes. They are far to willing to condemn the other guy without thinking "what if this were me".
Do yourself a favour and think before you speak.

[C0mmanderB0nd]

So he is a security "expert" but expects AT&T to protect him....

He has seen how easy it is to social engineer attacks against bloated corporations but he expects special treatment because he wears a goofy Tshirt now????

And wasn't he bragging earlier around black hat when other "experts" servers were hacked that only and idiot would expect privacy on anything connected to a public network. Maybe he made someone mad and hijacking his AT&T account was merely a stab back at him.

[pentest]

"So he is a security "expert" but expects AT&T to protect him.... "


Expert or not, it is not like there is much he can do to protect AT&T's network or keep its employees from being stupid.

[Dalkorian]

sarcasm
No, you're wrong Pentest. If he was the security expert he claimed to be, he could secure AT&T's network and operations without permission or access to the facilities. He could screen their customer support staff to make sure everyone knew how to identify a social engineering attack, he could force AT&T to change their rules and only accept a person when they offered the correct password and secret handshake. Since he couldn't do all this, he's obviously a fake.
end sarcasm

Isn't is amazing how rare thought has become? Maybe Idiocracy wasn't a comedy after all.

[C0mmanderB0nd]

So the real irony is he writes a "fictional" book outlining social engineering using employees at a Telco's store locations but he is shocked when the methods he wrote a book on are turned on him?

Shouldn't he know better that social engineering works because the wage slave at the retail store isn't going to be the most up to date on policies and will use personal discretion to violate policies that make their job harder!

His expertise and experience should tell him nothing he has tied to AT&T is secure. But I am sure if he wants he could start his own wireless carrier and secure it however he likes....

[dennisheadley]

No one knows the facts about this but him and AT&T at this point, So getting all upset and trashing the guy or AT&T is useless at this point. For all that anyone here knows, that earlier incident during the trip that no one can discuss now may have ended in him being outed as doing it himself for publicity / monetary gain and that is the reason they are telling him this time we want you off our network.

Also there is absolutely no way that any company can completely secure your data. It is an impossible to do so, as new exploits to software / hardware systems are found all the time by people trying to find the holes in things. No company can make something that another group can't with time figure out a weakness in given enough time. And no other carrier that I know of has not had breaches in the new themselves over the last few years, so saying that AT&T is worse than any other one is baseless.

If this guy can't even secure his own website, email server, and home computer (which if i remember correctly was hacked prior to Black Hat) then how does he expect anyone else to?

[shanedr]

Hammurabian justice at its best. Live with it Kevin.

[dennisheadley]

Was thinking about this more and have to ask some questions of the people posting responses here.

So you are using AT&T for your carrier. You set a pin and a security question for your account. Someone calls up and gives the right responses so you make the changes requested. Are you at fault if it wasn't the real account holder you talked to? I say no.

The consumer has responsibilities also. To make choices on security questions that aren't obvious to anyone who knows you. To not save all your answers and pins in a text file named passwords.txt in my documents folder. To not throw out that letter with your default PIN that they sent you in the mail without so much as crumpling the paper. The total amount of security that a company can give you is limited by what they are given to work with.

I make this mistake myself all the time. I always pick the security question "where were you born?" and answer it with "in a barn". Thinking its clever because I know they were looking for something else and the saying is easy to remember. Yes, probably for me and a million other people with the same idea. Another thing that I do is use the exact same password/user id at every site i register at if possible and the same 4 digit pin when given the choice on my own pin. I made up the password out of a string of letters and numbers that don't mean anything at all so i doubt anyone would be able to figure it out without expending more time that it was worth to do so. I totally overlooked that fact that if someone gets my info at Facebook they could go to just about any other internet site worth visiting and get into all my other accounts also.

[Thad Boyd]

"The irony is that he speculates that whoever is responsible for getting into his account used social engineering to do so. Mitnick spent five years in jail for breaking into computer networks, mostly using social engineering to get information out of insiders that enabled him to access their networks."

Does that really qualify as irony, though? That's like saying it's ironic for a firefighter to be burned in a fire. It's not irony so much as an occupational hazard.

...maybe dramatic irony. Maybe.

[kevsmail]

Talk about irony! But I hope AT&T is made to PAY. Their lazy attitude toward data security is ridiculous and should be a warning that all their customers are vulnerable.