Just to be clear up front, I haven’t experienced anything that would suggest any personal data had been stolen from AT&T. This post concerns a risky policy they seem to have switched to where they collect more personal information than they need.
On Tuesday of this week I was at the Apple Store in Emeryville to drop a laptop off for repair, and while there I thought I would pick up a nano SIM for my niece’s new phone (she is being upgraded from an iPhone 5 to and iPhone 6). Then, when I next see her, I will be able to call AT&T and have them switch the number to the new SIM. Something we’ve done several times before.
Every time I have walked into an AT&T store for something I have encountered different reasons why they can’t do the simple things I’ve been asking. Anything more complex I do over the phone because business support, which we get through a discount code on the account, is generally more capable of getting things right first time.
In the past, I’ve been told that even though I am authorized to make changes via telephone support, I am not allowed to make then in the store (the account is in my wife’s name for historical reasons). I’ve been told that I can’t pick up a SIM and activate it later (even though I’d done it less than a month earlier). And this week I was told that to get me a SIM they would need to know which number it was for, even though they wouldn’t be activating it. I gave them a number and the next thing he asked was to see my ID.
No problem, makes sense that he checks I am who I say. But no, he didn’t want to just see my ID. He wanted to swipe it through his terminal and record it.
There is no reason for AT&T to retain an electronic copy of my driver’s license information. No reason at all. And the fact that I can do almost everything with my account online or over the phone where swiping my ID is not an option tells me they don’t really need it.
I applaud them for checking the ID, but checking and scanning/swiping are totally different. I’ve seen this mentality in other places too (our kids’ doctor’s office asked to photocopy it once and I refused; same happened at a school where I refused to let them copy it).
Less is More
The @ATTCares social team employee I spoke to this morning was unable to order me a SIM either. Really! Her suggestion was to stop by a store and ask them.
And the reason for the unnecessary recording of my ID data: to protect my privacy. Talk about getting it wrong. Having a giant corporation, which already has lots of information about me aggregating more personal information about its customers is ridiculous. History has shown that hacking large companies is not usually that hard. Indeed, a quick search online immediately found two cases where AT&T had data issues: in June 2011 email addresses were stolen, later in 2011 hackers attempted to steal data through a spear phishing attack (though AT&T say nothing was lost in this attack), and again in 2014.
That one in 2014 was an employee accessing data, and the article says this:
the company said the person may have obtained Social Security numbers, driver’s license numbers and AT&T services customers subscribed to.
If they had been recording the full information from the license swipes back then, that person would have had all that data too.
If companies like AT&T were smart they would limit the amount of data they collect to reduce their liability in the case that they have personal data stolen again. Collecting more might seem like a good idea (especially if your plan is to sell that data or use it to force advertising on people), but the day you get hacked and all that information is stolen it will become an expensive mistake.
A second person from the AT&T social media team called, and was also unable to order me a SIM from their system. He too just stated that it was now AT&T policy to swipe IDs and that it was for the protection of my AT&T account.
First off, swiping the ID does nothing more to protect the account than the employee in the store looking at it (unless they don’t trust their employees to verify identity).
Secondly, recording that extra data in my account makes me more vulnerable to identity theft, at which point protecting my AT&T account is not a high priority!
Finally, there are much better ways of validating that I am who I say I am (they could, for example, ask me to enter a PIN or password the way my bank does when I withdraw money from a human teller rather than an ATM).
All in all, AT&T seem to be proving that they have little understanding of protecting their customers’ personal information. Pretty sad.