September 8, 2006 4:17 PM PDT
Security breaches are wake-up calls to phone companies
Earlier this week, Hewlett-Packard acknowledged that it launched an investigation into a boardroom leak that resulted in the hiring of a private investigator to gather information on telephone calls made and received by board members and nine journalists, including News.com's Tom Krazit, Dawn Kawamoto and Stephen Shankland.
The news has once again highlighted a growing problem plaguing the telecommunications industry called "pretexting," a scam where unauthorized individuals pretend to be someone they're not to obtain personal information. Private investigators and con artists have been using this technique for years not just to obtain phone records, but also to get access to bank records, credit card information and other sensitive information.
The telecommunications industry came under fire nine months ago when news reports pointed to Web sites where customer records could be openly purchased. The news prompted several phone companies, including Cingular Wireless, Sprint, T-Mobile and Verizon Wireless, to sue brokers selling customers' phone records. And lawmakers in Congress have also drafted legislation criminalizing the act of pretending to be someone else to get telephone records.
Other industries are also vulnerable to pretexting scams, but experts say the telecommunications industry lags behind them in protecting customer information.
"There's no doubt that the telecommunications industry has been extremely lax in authenticating customers," said Robert Douglas, an information security consultant and former private investigator with a company called PrivacyToday.com. "There's an institutional perception of 'What's the big deal. It's just phone records.' And that has to change."
While all the phone companies claim that customer privacy is very important to them, statements from at least one carrier embroiled in the recent scandal suggest that the release of phone records ranks below that of other personal information.
AT&T, which provided the phone records of at least one HP board member and one reporter in this week's evolving flap, filed a lawsuit last month in San Antonio to find out the identities of unnamed defendants who had supposedly accessed some 2,500 customer records without permission from those customers. The company filed a similar lawsuit Wednesday in San Francisco. Despite its pending legal action, the company has tried to downplay the issue.
"We've identified 2,500 customers who could have been victimized," said Walt Sharp, a spokesman for AT&T. "That's a tiny fraction of our 48 million landline customers. What we're dealing with here is not access to financial information. This is not credit card or driver license number records. It's nothing of that nature."
Carriers are wary about discussing specifics of how they secure customer data. Sharp, for example would not elaborate on how AT&T authenticates access to customer records. But e-mails sent to subjects of the pretexting scam suggest that all that is needed is an e-mail address and the last four digits of a Social Security number.
A spokeswoman for Sprint Nextel said the company suggests customers create a password, but it also allows users to access accounts online using only their phone number and the last four digits of their Social Security number.