We take cybersecurity very seriously and privacy is a fundamental commitment at AT&T.
When have we heard words like these before? I am being ridiculous; this is the kind of opening statement uttered by soulless PR zombies every time a big telco allows huge amounts of personal data to be compromised. This time is the turn of AT&T, formerly the world’s number 1 telco by revenue but now a company that makes so many employees redundant that they stopped announcing the number of job cuts they make. But woe betide anyone who dares to suggest that telcos employ too few staff to maintain security around personal data which, if compromised, can cause harm for millions of ordinary people.
The webpage recounting the details of AT&T’s latest privacy breach states that it involves data belonging to 7.6 million current AT&T account holders and 65.4 million former account holders. This information has been distributed on the dark web. Stolen data includes the full names, email addresses, home addresses, phone numbers, social security numbers, dates of birth, AT&T account numbers and passcodes of current and former AT&T customers.
Compromising the passcode of current customers would obviously be the most immediate threat because this would help criminals to take control of phone accounts, so AT&T has reset the passcodes of those affected. Let us just hope they did not reset every passcode to ‘1111’.
Changing passcodes does not address the wider risk of harm created by this breach. All sorts of buffoons routinely warn the public that they should not share personal information on social media because it might be used against them. The threat of individuals being robbed because of what they share on social media is trivial compared to the threat created by allowing criminals to receive a comprehensive and systematic download of personal data belonging to millions of people. But the only advice that AT&T can offer is that people should watch and see if any money is stolen from their bank accounts, or if their identities have been hijacked by somebody else.
…we encourage customers to remain vigilant by monitoring account activity and credit reports.
AT&T are using the same playbook on this occasion as they have used for previous breaches, trying to deflect blame by suggesting the data may have been breached by one of their suppliers. I tire of hearing this defense from this company. AT&T chooses its suppliers. If AT&T’s suppliers breach data then the fault is with AT&T for selecting suppliers that cannot be trusted. AT&T used the same excuses when shrugging off the breach of data relating to 9 million people last year, and for a separate breach affecting 23 million people in 2022.
The number of previous breaches involving data belonging to AT&T customers is unacceptable. If there was any justice, this telco should now be fined to the edge of oblivion, just to create sufficient incentive for competitors to increase their spending on data security. Penalties for this kind of failure remain inadequate because governments and their regulators keep allowing big businesses to enhance their profit margins by socializing the downstream costs created by inadequate data protection. Nowhere near enough money is spent on protecting data relative to the amount of economic harm done by criminals who exploit that data. This incident may result in a fine that runs into multiple millions of dollars, but the official response will still be minor relative to the effort that should be devoted to protecting data. That means an economically rational but morally vacuous business like AT&T will always choose to suffer the fine rather than spending enough to eliminate the risk of future breaches and future fines.
History demonstrates that authorities are not motivating the changes necessary to protect personal data. In 2016, the Federal Communications Commission (FCC) levied its largest ever data security penalty at that time. The penalty was worth USD25mn and it was paid by AT&T. Eight years is sufficient time to reflect on that amount and to conclude that subsequent behavior shows it was not enough.
There are other reasons why the US government will never discipline AT&T to the extent required for the public good. AT&T is a favored provider of personal data to America’s surveillance community. The network infrastructure run by AT&T is integrated into the operations of the National Security Agency (NSA), the US government’s foremost electronic surveillance outfit. And just a few months ago, Senator Ron Wyden complained to the US Department of Justice about AT&T choosing to retain trillions of historic call records dating back to 1987 just so the data can profitably be sold to police who want to circumvent the need for a court warrant.
AT&T is a thoroughly rotten business that puts all of us in danger. This is no exaggeration, given the amount of communications data passing over their networks, not just between Americans, but involving phone users all around the planet. But there are only a few individuals in senior positions, like Senator Wyden, who want to do anything about it. The rest just choose to bury their heads and pretend nothing is wrong.
So expect to hear more of the same in future. This is what AT&T told people following a breach in 2023.
AT&T’s commitment to customer privacy and data security is a top priority.
Does that sound familiar? Do you still believe what they say?



