As a PCI assessor I was often asked how to protect the personally identifiable information (PII) captured within audio recordings. Call centers, especially very large and distributes ones, tended to end up with giant archives of people talking about payment information. Also packet capture systems such as intrusion detection or network forensics tended to collect payment card data discussed (e.g. using IP phones).
The bottom line (pun not intended) was that working with audio security is an interesting challenge and can add some flavor to the usual job of masking, replacing or encrypting stored data.
And yet despite a body of knowledge in this area, leading to steady improvement in security tools to reduce fraud from audio data, we still see in the news major disasters. I believe this not to be any failure of technology but rather a higher-level management issue: like quality engineering can’t really be blamed on tools as much as attention to details.
Take for example AT&T just has been fined by the FCC $25m for three breaches
In May 2014, the Enforcement Bureau launched its investigation into a 168-day data breach that took place at an AT&T call center in Mexico between November 2013 and April 2014. During this period, three call center employees were paid by third parties to obtain customer information — specifically, names and at least the last four digits of customers’ Social Security numbers — that could then be used to submit online requests for cellular handset unlock codes. The three call center employees accessed more than 68,000 accounts without customer authorization, which they then provided to third parties who used that information to submit 290,803 handset unlock requests through AT&T’s online customer unlock request portal.
One attack would be a problem. Three impostors are a sign of something far more troubling; management is not detecting or preventing active infiltration designed to bypass internal controls and steal valuable data. Organized crime still shows success at either coercing staff or implanting attackers in call centers to leak PII for financial gain. And if three impostors aren’t bad enough, the FCC goes on to document another forty individuals found stealing PII.
Kudos to the FCC for their investigation and subsequent action. I believe it is right for them to emphasize a top-level management approach as a solution.
The people who were caught in the act of stealing (the impostors themselves) will likely go to jail (as was also found in the recent Bechtel executive fraud case). New oversight needs to be forced by regulators at top-levels of company management so they pay better attention to impostors and other attackers stealing PII.
…AT&T will be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conducting a privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual, and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities. AT&T will file regular compliance reports with the FCC.