X

Hacker Mitnick may sue AT&T over data breach

Kevin Mitnick's mobile account gets breached. AT&T allegedly says it's not at fault and plans to drop his contract and not compensate for damages. Now he may sue.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
4 min read

Kevin Mitnick
Kevin Mitnick Declan McCullagh/CBS Interactive

After having his AT&T wireless account breached and his personal information posted on the Web, famed hacker Kevin Mitnick thought the least the cellular service provider could do was compensate him for his troubles.

Instead, the company informed Mitnick it plans to cancel his contract and not pay damages for the breach, he said. (His service was still working Thursday afternoon.) Now he may sue.

"AT&T wants me off their network because they can't secure my account, and after being a loyal customer for almost a decade I find that reprehensible," he told CNET News on Thursday. "It apparently is more cost effective to drop me than to secure their customer's information."

"My attorney is going to review my contract to see what, if any, restrictions are in my service agreement," he said. "I may file a lawsuit for invasion of privacy for the failure to adequately protect my information."

The irony is that he speculates that whoever is responsible for getting into his account used social engineering to do so. Mitnick spent five years in jail for breaking into computer networks, mostly using social engineering to get information out of insiders that enabled him to access their networks.

He describes such social engineering techniques in fictional stories in his book "The Art of Deception," including examples involving PacBell in which workers at retail stores reveal customer account details over the phone to someone they think works for the company.

"These guys probably read my book and decided to steal my information using social engineering because it is so easy," he said. "I told AT&T about this and they just ignored it."

"The bigger issue is that this ineffective security affects all AT&T customers," he said. "They need to start shoring up their defenses."

Mitnick learned in June that someone had posted his address, land and mobile phone numbers, PIN, e-mail address, instant messenger handles, and the last four digits of his Social Security number on the Web in March.

When he failed to get a response from AT&T after he complained, he called a lawyer who asked AT&T to pay an undisclosed amount for damages to his reputation and property rights, he said.

"We investigated Mr. Mitnick's claims and determined they were without any foundation," said AT&T spokeswoman Jenny Bridges. "We refused Mr. Mitnick's demands for money, but did offer to let him out of his contractual obligations so that he could find a carrier that he would be comfortable with."

Asked if Mitnick could keep AT&T as his provider, Bridges said she could not comment beyond that statement.

Mitnick's high-profile status makes him a celebrity among some hackers and a popular target for others. He's had his Web site hacked numerous times over the years, including twice in the past several months. He's even had trouble with Facebook after the social networking site disabled his account, believing him to be an impostor.

Most recently, Mitnick's site was among a group of security sites that were hacked and publicized on the eve of the Black Hat conferencelast month. As a result of the hacking, Mitnick was asked by his Web hosting provider, HostedHere.net, to find another place to host his site.

This isn't the first time Mitnick's AT&T account information apparently has been breached.

CNET News learned almost a year ago that someone had gotten access to Mitnick's mobile account while he was on a trip to Bogota, Colombia, but at the request of Mitnick at that time, agreed not to publish the information while the case was being investigated.

On his way to Colombia, during a stopover in Los Angeles, Mitnick received warning that his AT&T account would be breached with a social-engineering attack, he said in an instant message exchange in September 2008. He called AT&T with the details and asked it to take extra precautions to protect his account and require someone trying to change the account to provide the password verbally and not just the Social Security number, he said. Despite that effort, when he landed hours later, his password had been reset and the account was no longer in his control.

"I learn that these hackers (they called to warn me first) called an ATT Corporate store in Idaho (I have the rep's name) and she changed my e-mail address to what the hackers requested. So they just did a pw reset," he wrote in the IM exchange.

Asked about it in a follow up conversation months later, Mitnick said the matter had been resolved and declined to comment further.

That Colombia trip was noteworthy for Mitnick for other reasons. On his return, Mitnick was detained for four hours and his computer equipment inspected after he landed in the Atlanta airport for unknown reasons.