Does a tree that falls in the middle of the forest make a sound if there is nobody to hear it? Does a breach of personal data have any consequence if taken from an organization that says the data does not matter? Telcos can have a remarkably subjective view of reality for businesses that capture enormous volumes of objective data about their customers. US network provider AT&T has maintained its reputation as the telco with the most relaxed attitude towards privacy breaches by brushing off the recent revelation that 9 million of its customers were subject to a data breach that occurred in January. Here is what they told customers about the breach:
AT&T’s commitment to customer privacy and data security is a top priority.
Hold that thought.
We recently determined that an unauthorized person breached a vendor’s system and gained access to your “Customer Proprietary Network Information” (CPNI). In our industry, CPNI is information related to the telecommunications services you purchase from us, such as the number of lines on your account or the wireless plan to which you are subscribed. However, please rest assured that no sensitive personal or financial information such as Social Security number or credit card information was accessed.
A person’s name and their phone number is sensitive information, though it has not always been treated accordingly. There was a time when listing millions of phone numbers in a big paper book was not considered risky, but that was before every bank decided it would be a good idea to send passwords by SMS, prompting SIM swapping to become a serious issue.
To address this issue, the following steps have been taken:
- We confirmed with the vendor that the vulnerability has been fixed.
- We have notified federal law enforcement about the unauthorized access of your CPNI as required by the Federal Communications Commission. Our report to law enforcement does not contain specific information about your account, only that the unauthorized access occurred.
So AT&T’s response can be summarized as: checking the same breach cannot keep happening, and doing what they are legally obliged to do.
There were several contradictions in the stories presented by journalists, suggesting some vagueness or inconsistencies in the briefings that AT&T has supplied. For example, Dark Reading stated the breach did not contain any ‘personally identifiable information’ whilst CSO said it included first names, phone numbers and email addresses.
AT&T also offered the reassurance that the data which had been breached was ‘several years old’. As somebody who has had the same phone number since the 1990’s, and the same name for even longer, I find AT&T’s qualifications concerning the age of data to be unhelpful. If data is so old that it is no longer reliable then businesses should not continue to retain it.
There was considerable speculation about the identity of the vendor that was breached, with some arguing it was likely to be MailChimp because the email marketing firm was also known to have been breached during January.
This is not the first time that AT&T has excused a data breach concerning its customers by asserting the blame rests elsewhere. In August 2022, a breach which compromised data for 23 million people was dismissed as not originating with AT&T’s systems, even though the people affected all appeared to be AT&T customers.
AT&T says the privacy and security of customer data is a top priority. But we should judge businesses by actions, not words. You may want to review AT&T’s recent history, as captured in the following articles.
- A string of famous YouTubers blamed AT&T for SIM swaps that caused them to lose control of their YouTube accounts.
- AT&T were blamed when the Twitter account of former Twitter CEO Jack Dorsey was compromised.
- AT&T admitted they were ‘aware’ of hackers attempting to infiltrate systems by tricking staff into running Remote Desktop Protocol software.
- In 2020, it was discovered that there was a phishing site designed to look like the login screen for an AT&T employee portal.
- Investigative journalists from The Intercept have established that the National Security Agency (NSA) focuses their efforts on eight AT&T sites which are central to the monitoring of “billions of emails, phone calls, and online chats”.
AT&T keeps advising people that they need not worry about their privacy. The truth is that everybody should be worried about AT&T’s attitude.