The earlier flurry of fines and lawsuits against brokers of telephone subscriber records has continued with this recent gust from AT&T. The company has filed suit in federal court in Texas against 25 entities, which are as yet, unnamed.
AT&T, headquartered in San Antonio, where the suit was filed, hopes to learn the defendants’ identities through their Internet protocol addresses. AT&T has “most if not all” of the defendants’ IP addresses and will ask the court to subpoena the Internet providers to disclose the identities linked to those addresses, spokesman Walt Sharp said.
I gather that the suspected data collectors gained unauthorized access by changing account passwords for either AT&T or their customers to be alerted. If so, the targets of this case may differ from those cited in the FCC investigation –entities which advertised on the Internet–, assuming that they were flying under the radar. Or the purchasers of the personal information may have concluded that they were beyond the reach of the government or courts.
The individuals gained access to the records by “pretexting” or fooling AT&T’s computer or interactive voice response phone system into believing they were real customers. This was done by providing the customer’s telephone number and the last four digits of the customer’s Social Security number or the three-digit customer code associated with the customer’s account, the complaint states. The defendants also sometimes used “spoofing” software to make it appear that they were calling from the customer’s telephone, the complaint alleges.
In each instance, the defendant entered an e-mail address to be associated with the fraudulently established account, and AT&T’s computer servers logged the IP address of the computer accessing the account.
The history of this swarm of regulation, litigation and legislation is recounted in InternetNews.
Technology Evangelist is dismayed by the ease with which humans can talk their way into getting facts.