AT&T Shrugs Off Data Breach Affecting 9mn Customers

Does a tree that falls in the middle of the forest make a sound if there is nobody to hear it? Does a breach of personal data have any consequence if taken from an organization that says the data does not matter? Telcos can have a remarkably subjective view of reality for businesses that capture enormous volumes of objective data about their customers. US network provider AT&T has maintained its reputation as the telco with the most relaxed attitude towards privacy breaches by brushing off the recent revelation that 9 million of its customers were subject to a data breach that occurred in January. Here is what they told customers about the breach:

AT&T’s commitment to customer privacy and data security is a top priority.

Hold that thought.

We recently determined that an unauthorized person breached a vendor’s system and gained access to your “Customer Proprietary Network Information” (CPNI). In our industry, CPNI is information related to the telecommunications services you purchase from us, such as the number of lines on your account or the wireless plan to which you are subscribed. However, please rest assured that no sensitive personal or financial information such as Social Security number or credit card information was accessed.

A person’s name and their phone number is sensitive information, though it has not always been treated accordingly. There was a time when listing millions of phone numbers in a big paper book was not considered risky, but that was before every bank decided it would be a good idea to send passwords by SMS, prompting SIM swapping to become a serious issue.

​To address this issue, the following steps have been taken:​

  • We confirmed with the vendor that the vulnerability has been fixed.​
  • We have notified federal law enforcement about the unauthorized access of your CPNI as required by the Federal Communications Commission. Our report to law enforcement does not contain specific information about your account, only that the unauthorized access occurred.​

So AT&T’s response can be summarized as: checking the same breach cannot keep happening, and doing what they are legally obliged to do.

There were several contradictions in the stories presented by journalists, suggesting some vagueness or inconsistencies in the briefings that AT&T has supplied. For example, Dark Reading stated the breach did not contain any ‘personally identifiable information’ whilst CSO said it included first names, phone numbers and email addresses.

AT&T also offered the reassurance that the data which had been breached was ‘several years old’. As somebody who has had the same phone number since the 1990’s, and the same name for even longer, I find AT&T’s qualifications concerning the age of data to be unhelpful. If data is so old that it is no longer reliable then businesses should not continue to retain it.

​There was considerable speculation about the identity of the vendor that was breached, with some arguing it was likely to be MailChimp because the email marketing firm was also known to have been breached during January.

This is not the first time that AT&T has excused a data breach concerning its customers by asserting the blame rests elsewhere. In August 2022, a breach which compromised data for 23 million people was dismissed as not originating with AT&T’s systems, even though the people affected all appeared to be AT&T customers.

AT&T says the privacy and security of customer data is a top priority. But we should judge businesses by actions, not words. You may want to review AT&T’s recent history, as captured in the following articles.

AT&T keeps advising people that they need not worry about their privacy. The truth is that everybody should be worried about AT&T’s attitude.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.