AT&T’s Being Weirdly Cagey About A Major Data Breach Impacting 73 Million AT&T Users
from the never-heard-of-the-guy dept
AT&T is under fire after a hacker last month posted the personal information (names, addresses, phone numbers, and social security numbers) of roughly 73 million customers to the open web. Troy Hunt, security researcher and owner of data breach notification site Have I Been Pwned, notes the data first appeared a few years ago courtesy of a hacker seeking payment.
In March the originally encrypted data was dumped on the open web. But since the data first appeared a few years ago, AT&T has been oddly cagey about where the data came from, insisting last week to outlets like Techcrunch that it didn’t originate with their systems:
“We have no indications of a compromise of our systems. We determined in 2021 that the information offered on this online forum did not appear to have come from our systems. This appears to be the same dataset that has been recycled several times on this forum.”
Yet Hunt has confirmed the data are from legitimate AT&T customers. If you’re an AT&T customer, you can search Have I Been Pwned to see if you’re part of the festivities. When Techcrunch pressed AT&T for more details, the company went silent. With AT&T refusing to own the leak, users don’t even get the traditional empty gesture of a year of free credit reporting.
AT&T’s denial suggests they either couldn’t track down the origins of the leak, which suggests substandard security and privacy standards and not-so competent investigators. Or it knows precisely where this data came from, and the trajectory of the transfer raises privacy questions they don’t want to answer because it could involve regulatory and reputational risk.
Knowing AT&T’s ethics fairly well as a multi-decade telecom beat reporter, I think it’s very possible it’s the latter. Big ISPs like AT&T have a long, rich history of playing fast and loose with consumer data, selling access to vast troves of location, behavior, and other consumer data to a universe of partners in a million different creatively dodgy ways, then routinely lying about the width and breadth of the practice.
AT&T is part of a wide array of companies across numerous industries that universally suck at user privacy and security, while simultaneously lobbying our corrupt Congress to ensure nobody passes a privacy law, regulates data brokers, or holds telecoms to meaningful account. The outcome was always obvious; especially once companies like AT&T effectively became trusted partners in U.S. domestic surveillance.
Filed Under: consumers, data breach, ftc, hacker, have I been pwned, security, wireless
Companies: at&t
Comments on “AT&T’s Being Weirdly Cagey About A Major Data Breach Impacting 73 Million AT&T Users”
Water is wet...
And ISPs are more wet than the most watery-water.
This being cagey should surprise no one with a knowledge of water.
Re:
You realize, of course, that being cagey doesn’t help. Water, as a general rule, can’t be caged.
"Cagey"
This is AT&T we’re talking about, so let’s not ignore the possibility that their “caginess” is actually more a matter of utter incompetence. I submit that they just don’t KNOW, which is a normal state of affairs for them.
Hmm, incompetence or malice…I better refer back to Hanlon for this one.
I’m hearing that passwords or pins are involved. Kinda hard to see that data on a 3rd party site. If that’s the case, AT&T has some ‘splaining to do
This comment has been flagged by the community. Click here to show it.
Or the government could have done it, or Silicon Valley te h companies. Both also have access to that data.
I am sure that all of the “researchers” and “advertisers” are on it like white on rice.
Re:
Occam’s Razor.
Re: Re:
As opposed to the swamp creatures prefered methodology of the most complicated, insane, evil, perverted, stupid, destructive, chaotic, sadistic, predatory idea that they can come up with? That would certainly be a change of pace for the swamp creatures.
Re: Re: Re:
I forgot to include wasteful.
This comment has been flagged by the community. Click here to show it.
It is just complrtely ridiculous for any of them to claim that they are either governing or providing national security since data dumps have occured with the IRS and Microsoft. They are all aslerp at the switch or looting. What else is anyone supposed to think?
Re:
If the useless, retarded, insanely obsessed hacker that has nothing better to do with its ridiculous, pathetic life than hack my comments by adding typos to them, or prevent me from posting comments manages to defeat me, the sick fucking retarded degenerate will only have about 8 billion people left to defeat!
Look at this week in tech on YouTube first ten minutes segment ,it says some open source library’s used in major Linux distros may have malware in the supply chain open source programs are used by every telecom provider including A t t
An engineer just happened to find malware in an open source programs because he noticed it was taking longer to process data than might be expect
The problem is worse for company’s like att that have millions of customers whose data could be exposed by a potential hacker eg address phone no mobile no location data
Re: More info
The library in question is liblzma, which is part of XZ Utils.
https://en.wikipedia.org/wiki/XZ_utils_backdoor
Re: Re:
Yep, that’s sick. Three years of work by a hacker (he was certainly not alone on it) but it got recompensed: a prefect 10/10 CVE score, when I was thinking that 9.8/10 was the highest score ever.
To anyone unaware of what this means, I’ll simplify.
“If you’re one of the people exposed, you’re fucked now and no one at AT&T will suffer any consequence, regardless of how ineffective, stupid or otherwise negligent they were with your data. They will accept no real blame, and you’re immutable info is still out there. Have a nice day.”
Re:
The AT&T response will certainly be: “Whoa! we’ve got 73 millions users! Great! We’re looking to get even more at the next breach. Stay tune.”
The fact the leak included plaintext social security numbers really should be used to drive home the idea that it is long past time for actual laws with actual punishments when corporations screw us over, beyond offering credit monitoring.
Curious...
…that they day following checking for my email at the Have I Been Pawned link, I have been inundated with spam email from a new source that does not reveal the sender!