AT&T’s Being Weirdly Cagey About A Major Data Breach Impacting 73 Million AT&T Users
AT&T is under fire after a hacker last month posted the personal information (names, addresses, phone numbers, and social security numbers) of roughly 73 million customers to the open web. Troy Hunt, security researcher and owner ofdata breach notification site Have I Been Pwned, notes the data first appeared a few years ago courtesy of a hacker seeking payment.
In March the originally encrypted data was dumped on the open web. But since the data first appeared a few years ago, AT&T has been oddly cagey about where the data came from, insisting last week to outlets like Techcrunch that it didn't originate with their systems:
We have no indications of a compromise of our systems. We determined in 2021 that the information offered on this online forum did not appear to have come from our systems. This appears to be the same dataset that has been recycled several times on this forum."
Yet Hunt has confirmed the data are from legitimate AT&T customers. If you're an AT&T customer, you can search Have I Been Pwned to see if you're part of the festivities. When Techcrunch pressed AT&T for more details, the company went silent. With AT&T refusing to own the leak, users don't even get the traditional empty gesture of a year of free credit reporting.
AT&T's denial suggests they either couldn't track down the origins of the leak, which suggests substandard security and privacy standards and not-so competent investigators. Or it knows precisely where this data came from, and the trajectory of the transfer raises privacy questions they don't want to answer because it could involve regulatory and reputational risk.
Knowing AT&T's ethics fairly well as a multi-decade telecom beat reporter, I think it's very possible it's the latter. Big ISPs like AT&T have a long, rich history of playing fast and loose with consumer data, selling access to vast troves of location, behavior, and other consumer data to a universe of partners in a million different creatively dodgy ways, then routinely lying about the width and breadth of the practice.
AT&T is part of a wide array of companies across numerous industries that universally suck at user privacy and security, while simultaneously lobbying our corrupt Congress to ensure nobody passes a privacy law, regulates data brokers, or holds telecoms to meaningful account. The outcome was always obvious; especially once companies like AT&T effectively became trusted partners in U.S. domestic surveillance.