AT&T Stops Pretending It Had Nothing To Do With A Massive Data Breach Impacting 73 Million Customers. Sort Of.
Last week we noted how AT&T was being rather cagey about the leak of the personal data of 73 million AT&T customers to the open web. The data, which includes customer social security addresses, names, phone numbers, and email addresses, first popped up back in 2021 after a hacker somehow obtained the data, encrypted it, and tried to sell it (unsuccessfully, apparently) in a public online forum.
Last month Troy Hunt, security researcher and owner ofdata breach notification site Have I Been Pwned, noted that this entire data trove was recently dumped unencrypted on the open web. As it did when the data first popped up back in 2021, AT&T last week tried to imply that the data didn't originate from its systems and downplayed the importance of the leak:
We have no indications of a compromise of our systems. We determined in 2021 that the information offered on this online forum did not appear to have come from our systems. This appears to be the same dataset that has been recycled several times on this forum."
As the story grew, AT&T apparently realized that this shrug emoji in word form probably wasn't going to work on the press or regulators. So last weekend the company issued a more detailed update on its website that at least acknowledges the data was legitimate, originating from 2019 or earlier," impacting 7.6 million current AT&T account holders and approximately 65.4 million former customers.
Though AT&T still claims it's unsure where the data originated or what systems were compromised (itself not a great sign given they've had half a decade to investigate):
While AT&T has made this determination, it is not yet known whether the data in those fields originated from AT&T or one of its vendors. With respect to the balance of the data set, which includes personal information such as social security numbers, the source of the data is still being assessed."
AT&T has a long history of dodgy privacy practices, whether it's the company's cozy relationship with the NSA's domestic surveillance program, or the efforts the company engaged in to make privacy a luxury consumer option. AT&T, you might recall, also played a starring role in killing promising FCC broadband privacy rules in Congress before they could even take effect. They've also lobbied to stop a federal law.
A 2021 FTC report documented how telecoms track your every online behavior down to the millisecond, monetize that data in dozens of creatively named ways, then confidently assert that they're not selling your data" (usually because access is bundled creatively and simply called something else).
Our last story wondered if AT&T was being cagey because the data could have originated with a marketing or surveillance partnership not transparent to the public. We also noted that AT&T didn't even offer the now-standard worthless free year of credit reporting consumers get every time a company screws up. AT&T reached out to correct us on one point: users are now being offered free credit reporting.
Oh, did I mention that AT&T is also now being sued?