Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!sdd.hp.com!wuarchive!uunet!lll-winken!telecom-request From: ehopper@attmail.com Newsgroups: comp.dcom.telecom Subject: AT&T Employee Makes Private Phone Records Public!! Message-ID: Date: 7 May 91 14:46:20 GMT Sender: Telecom@eecs.nwu.edu Organization: TELECOM Digest Lines: 45 Approved: Telecom@eecs.nwu.edu X-Submissions-To: telecom@eecs.nwu.edu X-Administrivia-To: telecom-request@eecs.nwu.edu X-Telecom-Digest: Volume 11, Issue 341, Message 5 of 9 I too was shocked by Randy's disclosure of proprietary customer information. Such an action is definitely NOT condoned by AT&T. In fact, it is a violation of the AT&T "Code of Business Conduct" which all employees review and sign periodically. The problem here is the failure of the individual. Randy apparently is (perhaps "was") employed by the marketing organization and therefore had legitimate business reason to access this information. He did not, however, have legitimate cause to invade the customers privacy by disclosing information on that customer to others without a need to know. Some other comments about access by AT&T employees to confidential information caused me to engage in some reflection about security of that information. Let me tell you my perceptions. As an employee of Computer Systems, I have access to certain automated systems that are used by various elements of the company. For example, I have access to DOSS, the ordering/records system for PBX and computer customers. I do not have access to (nor do I even know the names of) the long distance records systems. I don't need to know, therefore I can't get in. This is typical of all AT&T systems. While security was somewhat lax in some non-critical areas a few years ago, all corporate systems now require individual accounts and passwords. You can only get an account by having appropriate management authorization and a need to know. Thus, I can look at equipment records, but not long distance. I do have access to general marketing information for long distance, pbx and computer systems. General marketing information is not customer specific. Instead it's things like price lists and tariffs, product announcements and some design tools. In other words, I couldn't do what Randy did as my division has no need for access to these systems. Was it a breach of trust? Absolutely. Unfortunately a moment of indiscretion may end up costing Randy quite a bit. That is unfortunate. I hope he is only reprimanded and not terminated. I fear the latter, however. Ed Hopper AT&T Computer Systems (Speaking only for myself.)