AT&T Says Compromised Customer Data Was Not Stolen from Them

There are so many privacy breaches involving telcos that it has become difficult to keep up with them all. However, a recent story from independent security reporter Brian Krebs deserves attention because it highlights how telcos can allow other organizations to obtain data about the telco’s customers without taking responsibility when those organizations suffer a data breach. The story is based on last week’s announcement from Hold Security that they had intercepted…

…a 1.6 gigabyte compressed archive placed on a popular Dark Web file sharing site. The largest file in the dataset was a 3.6 gigabyte uncompressed file called dbfull. At first glance, the file contained stolen identity information. After a closer inspection, we believe the data likely belongs to AT&T customers.

All risk managers should familiarize themselves with research done by Sherman Kent and others concerning how people interpret words that are used to describe probabilities. The point is worth reiterating because Hold Security’s choice of the word ‘likely’ is unhelpful in the sense that it is also unhelpful to assert ‘night is likely to follow day’ or that ‘Vladimir Putin is unlikely to apologize for invading Ukraine’. Most people believe something can be likely whilst still retaining reasonable doubt about its certainty. There are no reasonable grounds to doubt that the files found by Hold Security include 23 million email addresses and social security numbers belonging to people who were customers of US operator AT&T during the year 2018. Their analysis provides several compelling reasons to conclude the dataset is a list of AT&T customers, though the birthdates of the listed customers suggests the data was breached about 4 years ago. However, AT&T reaffirmed that telcos are unlikely to be helpful when shown evidence of a data breach. Krebs confronted them with the news and this is how he summarized their response.

KrebsOnSecurity shared the large data set with AT&T, as well as Hold Security’s analysis of it. AT&T ultimately declined to say whether all of the people in the database are or were at some point AT&T customers. The company said the data appears to be several years old, and that “it’s not immediately possible to determine the percentage that may be customers.”

“This information does not appear to have come from our systems,” AT&T said in a written statement. “It may be tied to a previous data incident at another company. It is unfortunate that data can continue to surface over several years on the dark web. However, customers often receive notices after such incidents, and advice for ID theft is consistent and can be found online.”

The company declined to elaborate on what they meant by “a previous data incident at another company.”

Last month T‑Mobile US offered USD350mn to settle claims arising from a privacy breach involving almost 77 million customers, so it makes sense for AT&T to deny any liability for files giving the full name, mobile phone number, fixed-line phone number, full postal address, email address, date of birth and social security number of 23 million current or former customers. Nevertheless, we all rely on telecoms providers. That means we also rely on them to make good choices about the other businesses trusted to process personal data on their behalf. And we are becoming increasingly reliant on telecoms providers because so many other companies now demand we give them a phone number so they can verify who we are. That means every year we face a worsening risk that criminals will use any personal data they can find to take over a telephone account just as a means to gain access to some other account that belongs to us.

Confidence is crumbling. Telcos resort to pointing fingers at others instead of offering real leadership. But the role of the telecoms provider is already one that relies on trust, because customers use their phones to talk and send messages about their private lives and about confidential business matters. They do this in the belief that the telco respects their privacy. It is not satisfactory for a telco to dismiss a breach of their customers’ data as being the fault of some other business they worked with but cannot control.

Imagine if a telco in a Western country said they were not responsible for phone conversations that were listened to by spies because the surveillance capability was built into the technology of an equipment supplier like Huawei. The business that sells a service to a customer is responsible for all the other businesses who contributed to providing that service. But the intervention of Western governments in the purchase of technology from Huawei and other companies shows there is no longer unlimited confidence in the extent to which telcos will take responsibility for their procurement choices. These national security prohibitions, in concert with toughened data protection legislation, are the first steps towards reducing reliance on decisions that would otherwise be made by corporate executives. The ongoing erosion of trust bodes ill for telecoms providers in the long run.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.