27k unique visitors in the last 3 days

Huge AT&T Data Breach Affects 73mn People

The faltering US telco has routinely repeated the same excuses for failure whilst consciously exploiting a huge trove of personal data.

We take cybersecurity very seriously and privacy is a fundamental commitment at AT&T.

When have we heard words like these before? I am being ridiculous; this is the kind of opening statement uttered by soulless PR zombies every time a big telco allows huge amounts of personal data to be compromised. This time is the turn of AT&T, formerly the world’s number 1 telco by revenue but now a company that makes so many employees redundant that they stopped announcing the number of job cuts they make. But woe betide anyone who dares to suggest that telcos employ too few staff to maintain security around personal data which, if compromised, can cause harm for millions of ordinary people.

The webpage recounting the details of AT&T’s latest privacy breach states that it involves data belonging to 7.6 million current AT&T account holders and 65.4 million former account holders. This information has been distributed on the dark web. Stolen data includes the full names, email addresses, home addresses, phone numbers, social security numbers, dates of birth, AT&T account numbers and passcodes of current and former AT&T customers.

Compromising the passcode of current customers would obviously be the most immediate threat because this would help criminals to take control of phone accounts, so AT&T has reset the passcodes of those affected. Let us just hope they did not reset every passcode to ‘1111’.

Changing passcodes does not address the wider risk of harm created by this breach. All sorts of buffoons routinely warn the public that they should not share personal information on social media because it might be used against them. The threat of individuals being robbed because of what they share on social media is trivial compared to the threat created by allowing criminals to receive a comprehensive and systematic download of personal data belonging to millions of people. But the only advice that AT&T can offer is that people should watch and see if any money is stolen from their bank accounts, or if their identities have been hijacked by somebody else.

…we encourage customers to remain vigilant by monitoring account activity and credit reports.

AT&T are using the same playbook on this occasion as they have used for previous breaches, trying to deflect blame by suggesting the data may have been breached by one of their suppliers. I tire of hearing this defense from this company. AT&T chooses its suppliers. If AT&T’s suppliers breach data then the fault is with AT&T for selecting suppliers that cannot be trusted. AT&T used the same excuses when shrugging off the breach of data relating to 9 million people last year, and for a separate breach affecting 23 million people in 2022.

The number of previous breaches involving data belonging to AT&T customers is unacceptable. If there was any justice, this telco should now be fined to the edge of oblivion, just to create sufficient incentive for competitors to increase their spending on data security. Penalties for this kind of failure remain inadequate because governments and their regulators keep allowing big businesses to enhance their profit margins by socializing the downstream costs created by inadequate data protection. Nowhere near enough money is spent on protecting data relative to the amount of economic harm done by criminals who exploit that data. This incident may result in a fine that runs into multiple millions of dollars, but the official response will still be minor relative to the effort that should be devoted to protecting data. That means an economically rational but morally vacuous business like AT&T will always choose to suffer the fine rather than spending enough to eliminate the risk of future breaches and future fines.

History demonstrates that authorities are not motivating the changes necessary to protect personal data. In 2016, the Federal Communications Commission (FCC) levied its largest ever data security penalty at that time. The penalty was worth USD25mn and it was paid by AT&T. Eight years is sufficient time to reflect on that amount and to conclude that subsequent behavior shows it was not enough.

There are other reasons why the US government will never discipline AT&T to the extent required for the public good. AT&T is a favored provider of personal data to America’s surveillance community. The network infrastructure run by AT&T is integrated into the operations of the National Security Agency (NSA), the US government’s foremost electronic surveillance outfit. And just a few months ago, Senator Ron Wyden complained to the US Department of Justice about AT&T choosing to retain trillions of historic call records dating back to 1987 just so the data can profitably be sold to police who want to circumvent the need for a court warrant.

AT&T is a thoroughly rotten business that puts all of us in danger. This is no exaggeration, given the amount of communications data passing over their networks, not just between Americans, but involving phone users all around the planet. But there are only a few individuals in senior positions, like Senator Wyden, who want to do anything about it. The rest just choose to bury their heads and pretend nothing is wrong.

So expect to hear more of the same in future. This is what AT&T told people following a breach in 2023.

AT&T’s commitment to customer privacy and data security is a top priority.

Does that sound familiar? Do you still believe what they say?

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email