Discuss how this threat could have been prevented or detected.
1. Describe three (3) controls that could have prevented the act and avoided or mitigated the risk. They should be classified as technical, physical, or administrative controls.
2. Describe each control and provide a statistic or fact from a reputable source that supports your proposed security measure.
3. Defend each security measure and why you think this would help to further secure the organization's information assets.
Instructions: Your control cannot duplicate another classmates.
Examples:
Implement logon banners (administrative control)
Institute periodic security awareness training for all employees (administrative control)
Audit logging and monitoring (technical control)
• Name: Various Call Center agents in Mexico, Columbia, and Philippines call centers.
• Position: Call Center representatives.
• Motive: It appeared that these call center agents main motive for accessing this information was for personal gain, assuming monetary.
• How was the threat implemented? The threat was not difficult to implement because AT&T did not do a good job of protecting this information from their call center agents. The agents had access to customer names, SSN's, and "customer proprietary network information" (CPNI)
• What was the cost? Significantly High. The FCC imposed a civil penalty of $25 million dollars. Additionally, they had to pay for credit monitoring services for all of the affected customers.
This data breach took place over multiple months, starting in November 2013 and concluding in April 2014. In this case, agents in the call centers of Mexico, Columbia, and the Philippines had access to customers' information. The agents had access to the customer names, full and partial Social Security numbers, and "customer proprietary network information" (CPNI). The CPNI information is used to unlock customers cell phones to allow usage.
After the FCC investigation of the Mexico call center, the FCC determined that 3 agents accessed records of more than 68,000 customers.
This information was provided to unauthorized third parties who then used the information to place over 290,000 unlock requests through the AT&T network in order to get stolen cell phones service with AT&T.
While the original investigation was taking place, AT&T reported to the FCC that approximately 40 employees at the Philippines and Colombia call centers had access to this same information. Again, this information was leaked to unauthorized users and more unlock codes were used to initiate service, affecting approximately 211,000 more customers.
As a result, the FCC imposed a civil penalty on AT&T of $25 million dollars. Additionally, AT&T had to pay for credit monitoring services for all of the affected customers.