They have been breached and breached and breached again. In the aftermath of each breach, some dullard from the public relations team of this telco always insists that they place a lot of importance on protecting the privacy of customers. So you already know the direction in which this short article is headed. A filing made on Friday by American telco AT&T with the US Securities and Exchange Commission (SEC) has revealed yet another enormous breach of customer data.
Current analysis indicates that the data includes… records of calls and texts of nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (“MVNO”) using AT&T’s wireless network.
The content of the SEC filing was mostly repeated in a statement on AT&T’s website that neglected to mention they were aware of this breach several months ago, and the news had been suppressed until Friday per instructions from the US Department of Justice. The stolen data concerned the traffic conveyed by AT&T’s network from the beginning of May to the end of October 2022. There was also the compromise of some data relating to traffic that was carried on January 2, 2023. As you would expect, AT&T played down the significance of the breach by emphasizing that the data did not include customer names, nor any of the contents of the communications. This makes me think that I would like to see a list of the phone numbers used by AT&T executives, and every number of every call and message that was sent or received by their phone across a four-month period, so the world can cross-check these numbers with public directories and then deduce, in no particular order, who these people are having sex with, which doctors they are seeing, which politicians they are brown-nosing, and the phone numbers of their children. I think of it that way because I think like a bad actor thinks, and not in the dreamy carefree manner that seems to dominate the thinking of business executives and their PR goons.
AT&T did what they always do in these circumstances: they deflected blame on to others. The data was illegally downloaded from AT&T’s workspace on Snowflake, a third-party cloud platform. One person has already been arrested, presumably by the FBI, though no further details were given. It seems that nobody in their management team has the intellect or honesty to conclude that these breaches keep affecting AT&T customers because of choices that AT&T keeps making. Perhaps an FBI detective might assist by pointing out the common corporate factor in all these otherwise unrelated breaches.
AT&T said something about stopping further breaches using the same method, which is surely the absolute minimum expectation in situations like these. And it was also stated that current and former customers affected by the breach will each be told the bad news, which makes me wonder if anyone in AT&T is conscious that the people using the other phone numbers also had their privacy compromised. But apart from that, not much could be said because taxpayer-funded law enforcement has to do its job, and the impact on AT&T’s profits will effectively be zero.
…AT&T does not believe that this incident is reasonably likely to materially impact AT&T’s financial condition or results of operations.
And so endeth the story, at least for a thousand journalists who milked it before I did. A very small number of them made some weak point about increased government oversight, but they were wrong to do so. Government oversight will not lead to improvements in the US telecoms sector because you cannot fix an industry that is rotten to the core through increased oversight by government agencies that are rotten to the core. The radical change needed to protect American phone users — and everybody else they interact with — will not be brought about by the mediocre class of overpromoted buffoons who are in the ascendancy within the US telecoms sector and the branches of government that interact with telcos. They have consistently shown themselves unwilling to invest in the quality of data security that would be appropriate to mitigate the potential harm that can be done when personal data is stolen. AT&T has been making so many staff redundant that they stopped bothering to report the numbers of employees they lay off. A company like this will not suddenly have an epiphany about recruiting skills they never cared about previously.
Even if AT&T are fined as a consequence of this breach, their management is right to conclude that the fine will be so small in the big scheme of things that it will have no material impact on their financial results or the way they will operate in future. It is easy to see why the scales have been tilted so far against the interests of ordinary phone users. The US government pays AT&T to gather and retain records of telecommunications traffic as part of a trillion-CDR surveillance operation. The US government is not going to upset their chief outsourced partner in gathering intelligence on private communications by pushing AT&T to have similar levels of respect for customer privacy to those exhibited by Apple, or even by Google. Spying on phone users is part of AT&T’s reason to exist. That the information they gather will sometimes fall into the wrong hands is nothing but the data equivalent of collateral damage.
If AT&T had the slightest integrity then the internal assessment of their repeated failures would begin at the top, with board members questioning whether c-level executives need to be fired over the sequence of data breaches that have occurred. But their assessment will not start at the top, because AT&T’s Board of Directors has the same warped sense of priorities as their management team. The Chairman of AT&T’s Board is a former Chairman of the Federal Communications Commission (FCC). In other words, AT&T paid its Chairman USD858,333 last year because he provides them with top-grade political cover for every terrible thing they do, including the sale of data through a shady scheme approved by the current White House administration.
AT&T’s Chairman is William Kennard, a Democratic Party operative who was appointed to lead the FCC by President Bill Clinton in 1997. President Obama later gave Kennard the plumb role of Ambassador to the European Union. A big part of that job was to manipulate the European Commission into maintaining the pretense that US businesses can be trusted to respect European privacy standards. Kennard’s primary qualification for understanding how to use technology to better our lives comes from his training as a lawyer, having served as General Counsel for the FCC before he was elevated to the top job. Like so many other American lawyer-politician decision-makers, Kennard’s chief skill is that he can argue about what the rules mean, and what should be the penalty when those rules are broken. I struggle to see any evidence of these skills ever being translated into protecting the public from harm before those rules are broken, as they so often are.
My take on this data breach is different from that provided by some journalists. They want to maintain a narrow focus on the detail so they can claim more government oversight is the solution to AT&T’s incompetence. These people steadfastly refuse to acknowledge that companies like AT&T are run by the same people who run the government. US telcos are broken, decrepit, conceited, wasteful abominations that serve themselves at the expense of everyone else because they are run by the same elites that also turned the US government into a broken, decrepit, conceited, wasteful abomination that serves itself at the expense of everyone else. There are only three real differences between the way US networks are run and the way Chinese networks are run, despite all the American politicians who remonstrate about the threat posed by the Chinese Communist Party and the telecoms businesses that serve its wishes. The Chinese do not need to pretend that they care about the privacy of phone users. The Chinese can make fast networks for less cost than Americans can. And the people who run things in the USA belong to one of two parties of cronies, whilst there is only one party of cronies in China.
AT&T is what you get when crony capitalism is so normalized that nobody remembers what real competition looks like, or why governments exist. A privately-owned for-profit business becomes so deeply entwined with the interests of the public sector that no level of failure is so low that it can lead to meaningful recriminations. The company keeps making profit, the government keeps getting what it wants, and the public gets screwed. When another breach occurs in a little while, the public will be encouraged to keep swimming around their goldfish bowls, and discouraged from asking why the view never changes. The alternatives involve switching off phones, or using modes of communication that are encrypted from end-to-end. These are the only wise courses of action left available.



