AT&T Stops Pretending It Had Nothing To Do With A Massive Data Breach Impacting 73 Million Customers. Sort Of.
from the we-take-your-privacy-very-seriously dept
Last week we noted how AT&T was being rather cagey about the leak of the personal data of 73 million AT&T customers to the open web. The data, which includes customer social security addresses, names, phone numbers, and email addresses, first popped up back in 2021 after a hacker somehow obtained the data, encrypted it, and tried to sell it (unsuccessfully, apparently) in a public online forum.
Last month Troy Hunt, security researcher and owner of data breach notification site Have I Been Pwned, noted that this entire data trove was recently dumped unencrypted on the open web. As it did when the data first popped up back in 2021, AT&T last week tried to imply that the data didn’t originate from its systems and downplayed the importance of the leak:
“We have no indications of a compromise of our systems. We determined in 2021 that the information offered on this online forum did not appear to have come from our systems. This appears to be the same dataset that has been recycled several times on this forum.”
As the story grew, AT&T apparently realized that this shrug emoji in word form probably wasn’t going to work on the press or regulators. So last weekend the company issued a more detailed update on its website that at least acknowledges the data was legitimate, originating from “2019 or earlier,” impacting 7.6 million current AT&T account holders and approximately 65.4 million former customers.
Though AT&T still claims it’s unsure where the data originated or what systems were compromised (itself not a great sign given they’ve had half a decade to investigate):
“While AT&T has made this determination, it is not yet known whether the data in those fields originated from AT&T or one of its vendors. With respect to the balance of the data set, which includes personal information such as social security numbers, the source of the data is still being assessed.”
AT&T has a long history of dodgy privacy practices, whether it’s the company’s cozy relationship with the NSA’s domestic surveillance program, or the efforts the company engaged in to make privacy a luxury consumer option. AT&T, you might recall, also played a starring role in killing promising FCC broadband privacy rules in Congress before they could even take effect. They’ve also lobbied to stop a federal law.
A 2021 FTC report documented how telecoms track your every online behavior down to the millisecond, monetize that data in dozens of creatively named ways, then confidently assert that they’re not “selling your data” (usually because access is bundled creatively and simply called something else).
Our last story wondered if AT&T was being cagey because the data could have originated with a marketing or surveillance partnership not transparent to the public. We also noted that AT&T didn’t even offer the now-standard worthless free year of credit reporting consumers get every time a company screws up. AT&T reached out to correct us on one point: users are now being offered free credit reporting.
Oh, did I mention that AT&T is also now being sued?
Filed Under: broadband, hacker, personal data, privacy, privacy law, security, social security numbers, surveillance, telecom
Companies: at&t
Comments on “AT&T Stops Pretending It Had Nothing To Do With A Massive Data Breach Impacting 73 Million Customers. Sort Of.”
Good. They should be sued for $15 million per compromised user. Since that’s in the quads of dollars, they can pay that debt off over the next, oh, 50-100 years or so.
Re:
$1 million per compromised user seems more reasonable and possible, and at least that way, AT&T has no excuse to not pay.
AT&T's apparent priorities
In mid-2019, I signed up for AT&T Fiber.(I have since moved and canceled it.) I attempted to opt-out of at least some of the tracking. There were at least five kinds of tracking, none of which AT&T explains: External Marketing & Analytics Reports, DNS Error Assist, Relevant Advertising, Enhanced Relevant Advertising, Third Party Services. To opt out of the first four kinds, a few clicks on one web page (allegedly) suffice (but how would one verify that?).
To opt out of Third Party Services, a visit to another page is required. The other page is managed by TrustArc (which, for all I know is owned by AT&T). After I chose to opt out, the page showed me the various trackers that are used. The display was dynamic and showed the result of each opt-out request. It took six minutes for the task to complete. There were 1415 trackers issued by 253 companies of 18 different types. During the six minutes, uBlock Origin blocked 214 trackers. At the end, all but 62 (4%) of the 1415 trackers from 191 companies had acknowledged my request to opt out of tracking. Many, many cookies had been written to my browser to register opt-outs and I was encouraged to download and install the Trusted Ads Plugin “to preserve opt-out permanence.” I did not do so.
TrustArc reported that no response was received from the automated opt-out systems of the 62 companies. Among them were Adobe, Google, Yahoo, Twitter and Youtube. No further remedy was provided. It seems likely that technical incompetence is not the explanation for the failures to respond.
In mdi-2023, I signed up for AT&T mobile. I get billing reminders by email and by text. A few hours after I pay the bill online, I get second reminders by email and by text to pay my bill. Though this might suggest that the payment failed to go through – I verify that it does go through – it seems more likely that it reflects AT&T’s indifference.
AT&T has its priorities.
Free credit monitoring?
AT&T isn’t offering credit monitoring. They are merely telling you to set up fraud alerts on your accounts with the 3 major bureaus and that you can request copies of your credit report for free from Freecreditreport.com. AT&T isn’t giving you anything.