Just to be clear up front, I haven’t experienced anything that would suggest any personal data had been stolen from AT&T. This post concerns a risky policy they seem to have switched to where they collect more personal information than they need.
The Backdrop
On Tuesday of this week I was at the Apple Store in Emeryville to drop a laptop off for repair, and while there I thought I would pick up a nano SIM for my niece’s new phone (she is being upgraded from an iPhone 5 to and iPhone 6). Then, when I next see her, I will be able to call AT&T and have them switch the number to the new SIM. Something we’ve done several times before.
New Policy
Every time I have walked into an AT&T store for something I have encountered different reasons why they can’t do the simple things I’ve been asking. Anything more complex I do over the phone because business support, which we get through a discount code on the account, is generally more capable of getting things right first time.
In the past, I’ve been told that even though I am authorized to make changes via telephone support, I am not allowed to make then in the store (the account is in my wife’s name for historical reasons). I’ve been told that I can’t pick up a SIM and activate it later (even though I’d done it less than a month earlier). And this week I was told that to get me a SIM they would need to know which number it was for, even though they wouldn’t be activating it. I gave them a number and the next thing he asked was to see my ID.
No problem, makes sense that he checks I am who I say. But no, he didn’t want to just see my ID. He wanted to swipe it through his terminal and record it.
Identity Protection
There is no reason for AT&T to retain an electronic copy of my driver’s license information. No reason at all. And the fact that I can do almost everything with my account online or over the phone where swiping my ID is not an option tells me they don’t really need it.
I applaud them for checking the ID, but checking and scanning/swiping are totally different. I’ve seen this mentality in other places too (our kids’ doctor’s office asked to photocopy it once and I refused; same happened at a school where I refused to let them copy it).
Less is More
The @ATTCares social team employee I spoke to this morning was unable to order me a SIM either. Really! Her suggestion was to stop by a store and ask them.
And the reason for the unnecessary recording of my ID data: to protect my privacy. Talk about getting it wrong. Having a giant corporation, which already has lots of information about me aggregating more personal information about its customers is ridiculous. History has shown that hacking large companies is not usually that hard. Indeed, a quick search online immediately found two cases where AT&T had data issues: in June 2011 email addresses were stolen, later in 2011 hackers attempted to steal data through a spear phishing attack (though AT&T say nothing was lost in this attack), and again in 2014.
That one in 2014 was an employee accessing data, and the article says this:
the company said the person may have obtained Social Security numbers, driver’s license numbers and AT&T services customers subscribed to.
If they had been recording the full information from the license swipes back then, that person would have had all that data too.
If companies like AT&T were smart they would limit the amount of data they collect to reduce their liability in the case that they have personal data stolen again. Collecting more might seem like a good idea (especially if your plan is to sell that data or use it to force advertising on people), but the day you get hacked and all that information is stolen it will become an expensive mistake.
Update
A second person from the AT&T social media team called, and was also unable to order me a SIM from their system. He too just stated that it was now AT&T policy to swipe IDs and that it was for the protection of my AT&T account.
First off, swiping the ID does nothing more to protect the account than the employee in the store looking at it (unless they don’t trust their employees to verify identity).
Secondly, recording that extra data in my account makes me more vulnerable to identity theft, at which point protecting my AT&T account is not a high priority!
Finally, there are much better ways of validating that I am who I say I am (they could, for example, ask me to enter a PIN or password the way my bank does when I withdraw money from a human teller rather than an ATM).
All in all, AT&T seem to be proving that they have little understanding of protecting their customers’ personal information. Pretty sad.
Couldn’t agree with you more. I am moving all my lines to Verizon in the morning for this very purpose. They do not scan DL cards.
I absolutely agree with everything you’ve said. At the very least they should provide in writing what is being scanned, how long it is being kept and whether or not it is being used for any other purposes. Selling it or running credit check.
The same thing happened to me today, when I decided on a impulse to walk into an AT&T store at the mall while walking by. I went in and decided that I would open a brand new account.in my name with 2 of the latest Iphone X, anyway they needed to run a soft inquire first to determine my credit worthiness to see if I qualify for there zero down 24 month payment plan, well why not.. The representative ask me for my state issued driver license, so I gave it to him! He then took out a little square box and it began to illuminate a red beam of light on my license, he did it 4 times to no avail until he just started typing my info manually into his iPad, after he was finished he gave me my licence back and asked me to type my social security number into the credit application on his iPad twice. After about 3 minutes I was approved for the zero down 24 month no contract plan for the 2 iPhone’s. He said hold on he had to go get the phones, I waited for roughly 10 minutes before he came out from a back room with the phones, another representative beside him. Walked across from me at the table I waited at and asks to see my driver licence.again so I said sure here it is! He then takes out his little box and pointed his laser light scanner thingy at my barcode on my license, and again after 4 trys of not being able to get my information to scan to there little black box., he hands me back my state issue driver license and says I’m unable to sell you the phones now or tbecome a new member of AT&T, told me to leave. Now if the rep that was helping me with. The credit app knew.that he couldn’t process my.new account with my licence.not scanning, then tell me this why in he’ll did he ask me to type my frigg’in social security number into the credit app on his iPad not once but twice to have me finish getting approved for whatever I wanted., my great credit score assured me of that! So now I had to not only shamely walk out the store, head.down, they took my personal information from me so they can access my great credit score to in the end I got screwed at all ends .
I got hit with this today. Thing is, I was upgrading a phone on my company’s business account. They swore they had to know who I was and check it against the information they had on file but I had never given them my info because I’m just an authorized user in the account, nothing is in my name. I was told it was to prevent fraud and that looking at it did nothing because people make fakes (“you wouldn’t believe how many times this happens…”). I asked, if someone was to go through the trouble of faking an ID, don’t you think they would fake the bar code? Stunned looks, cricket sounds. I told my company I’m never going back to the store.
Was upset when I went in to pay my internet bill at Los Altos store in Sparks. Said machine I frequently use not working. Wanted ID to process my credit card payment & young woman scanned barcode on back of NV drivers license. Concerned ID theft. Been paying there at least 10 years & am always Creeped out when am told machine not working.
As a police officer and investigator of financial crimes for over 33 years, I can only think of 1 reason AT&T scans the barcode on your government issued driver’s license. And only 1, they sell the information to marketing companies. I will not open an account with AT&T because of this. They simple don’t need access to all of the data on DL magnetic strip.
After numerous screw ups by att (been a customer over 10 years), I had to show my ID in att store. They still screwed up my phone order upgrade and after several calls was given 800-866-1514 to call. Guy with accent says I need to scan in my ID. I said no way, got a supervisor who was rude. Went on att chat, got problem resolved and left feedback. Att needs to know about id scam.
When I went to get AT&T service back, they asked for my social security number. Now here’s what so many people don’t know. F.B.I. says that no businesses can ask for or keep a persons full social security number. They can only have the last four digits. It is to prevent identity theft. Usually my wife goes and pays our AT&T until this last time, they had me come in to scan my license, which made me feel instantly like a Red Flag went up. I’m switching to another internet service provider.