If you’ve not been paying attention, HP’s Chairwoman hired private investigators who lied their way to the phone records of board members and journalists. HP then lied to the SEC about why Silicon Valley eminence Tom Perkins resigned from the board, and Mr. Perkins, being a standup guy, called them on it. If you haven’t read “Tom Perkins’ Letter to The Directors of the Hewlett-Packard Company,” it is worth doing so, and noting the bit on page 3, where AT&T explains that the last 4 digits of Mr. Perkins’ SSN were useed to authenticate some caller impersonating him.
One of the neat things about working at Microsoft is the steady stream of very smart people who happen to wander by my office. Friday, Niels Ferguson dropped by, and we had an interesting conversation about the case. In the course of it, we happened onto this topic, and through the conversation, got to the question, was AT&T negligent in using the last four digits of the SSN as an authenticator?
As Pete Lindstrom enjoys pointing out, hundreds of thousands of people have access to your SSN in their jobs. AT&T, who used to employ one or two competent security people, ought to have known this, and done better. That’s clear to any security professional whose neurons are firing. The question I’d like to ask is, would a court be convinced?