AT& T Sues, Alleging Fraudulent Access to Customer Accounts

By Ellen Nakashima
Washington Post Staff Writer
Thursday, August 24, 2006

AT&T Corp. on Wednesday filed suit in federal court to unmask and halt the actions of 25 people who allegedly posed as customers to gain unauthorized online access to private phone records.

Some 2,500 customers' records were stolen, AT&T alleges in its civil complaint. The affected customers have been notified and access to their online accounts frozen, the company said.

The AT&T case is but one example of a growing trend of data theft for commercial gain, involving not only phone records but bank, medical and other sensitive personal information. The thieves are sometimes lumped into a category called data brokers, which includes companies that legitimately gather and market information.

AT&T, headquartered in San Antonio, where the suit was filed, hopes to learn the defendants' identities through their Internet protocol addresses. AT&T has "most if not all" of the defendants' IP addresses and will ask the court to subpoena the Internet providers to disclose the identities linked to those addresses, spokesman Walt Sharp said.

Once the defendants are identified, AT&T wants them to return all customer records, account for all profits obtained by the theft and to compensate AT&T for the damages caused.

"We're filing this lawsuit on behalf of our customers who have been the target of data brokers, who have fraudulently created accounts to obtain information," Sharp said.

The information is often used in legal or domestic disputes, as when a private investigator is hired to find out who a spouse suspected of straying may be calling.

Sharp said that of AT&T's total 48 million land lines, 2,500 defrauded accounts is a relatively small amount. "It's very, very, very tiny," he said. "But we consider any too many."

Information security consultant Rob Douglas said 2,500 accounts is "the low end of what's stolen every day."

Thieves are after more than phone records, he said. "They steal your cable TV records, your satellite TV records, your gas and electric records and all the rest," said Douglas, who edits, an information security Web site. "Every interaction we have is being recorded somewhere, and every minute thieves are working trying to figure out how to gain access to that information and use it for profit. That's what this demonstrates."

AT&T discovered the fraud in May through an ongoing internal monitoring of customers' accounts, Sharp said. The company has taken internal steps to prevent future occurrences, but will not disclose them because to do so would tip off fraud artists, he said.

The individuals gained access to the records by "pretexting" or fooling AT&T's computer or interactive voice response phone system into believing they were real customers. This was done by providing the customer's telephone number and the last four digits of the customer's Social Security number or the three-digit customer code associated with the customer's account, the complaint states. The defendants also sometimes used "spoofing" software to make it appear that they were calling from the customer's telephone, the complaint alleges.

In each instance, the defendant entered an e-mail address to be associated with the fraudulently established account, and AT&T's computer servers logged the IP address of the computer accessing the account.

In May, the Federal Trade Commission announced it had filed civil complaints charging five Web sites with violating federal law by obtaining and selling consumers' confidential phone records.

State and federal lawmakers are considering legislation to criminalize fraud related to calling records.

© 2006 The Washington Post Company