873 comments

[ 2.8 ms ] story [ 378 ms ] thread
This is huge; also AT&T knew on Apr 19 but only disclosed now; ongoing fallout from the Snowflake compromise:

- Records downloaded from Snowflake cloud platform

- "AT&T will notify 110 million AT&T customers"

- Compromised data includes customer phone numbers ("for 77m customers"), metadata (but not actual content or timestamp of calls and messages), and location-related data. Not SSNs or DOBs. Mostly during a six-month period 5/1-10/31/2022, but more recent records from 1/2/2023 for a smaller but unspecified number of customers. TechCrunch [1] has more details including Mandiant's response, the name and suspects location of the cybercriminal group

[1]: https://techcrunch.com/2024/07/12/att-phone-records-stolen-d...

I wonder if Congress manages to summon TikTok-like levels of anger on regulating this one.

And, honestly, how is this info (which I WOULD want to know) meaningfully actionable to customers. We get our information stolen from a myriad of sources everyday. These companies do comparatively nothing to make things right and the burden falls on customers to pick up the pieces if you're in a tranch that is sold and used.
Of course it's not meaningfully actionable to customers, big time lag in not disclosing since Apr 19. (Why does this not fall under SOX violation with the obligation to report timely to affected parties? It has affected AT&T's stock price -3% in early trading, so should it have also required SEC disclosure?)

Wondering what is the significance that most of the stolen records were from the period 5/1-10/31/2022? Does it mean that AT&T enabled 2FA on more recent records, or that more recent records were on a different cloud bucket (or that they mostly stopped using Snowflake since)?

Because AT&T reported it to the FBI and DOJ, they in turn requested AT&T to not disclose it and there are exceptions in the SEC rules for exactly that scenario of actively working with law enforcement.

Regarding 2FA, it probably means they just enabled it in their access rules for any access to snowflake, but it's highly unlikely AT&T will walk away from Snowflake anytime soon because it had become their preferred BI/Data Analytics platform and they were actively migrating several hundred TBs of data out of Hadoop to Snowflake.

(comment deleted)
This is another consequence of the surveillance state. The same data that can be used to surveil us by the government can be stolen by who-knows-who. We’d all (mostly) be far better off, IMO, if companies didn’t retain such records.
Yes but have you ever asked a dev if they actually need the 8 year old logs in some bucket?
My wet dream would be a dump of all SMS or Meta or iMessage messages for a multiyear period for nearly 90% of users. Only when Normie Norman's private chats to his mistress and other little relationship trust disrupting secrets become uncensorably hosted on the darknet and freely searchable, only then will Normie Norman get a clue and install SimpleX/Briar/Cwtch/any other owner-free decentralized p2p chat.
While I share the sentiment, Normie Norman is not at fault. Meta and other BigCorps are the perpetrators and Norman the Victim.
True, but you have to admit once you really see Normie Norman you come to understand aristocracy.

At least I do anyway.

https://dwm.suckless.org/

> Because dwm is customized through editing its source code, it's pointless to make binary packages of it. This keeps its userbase small and elitist.

Not in the way of a narcissist trying to separate himself from the group, but to see that Norman is very much susceptible to cow-like behaviors you can leverage. That's what I mean by understanding aristocracy. Aristocrat : Rancher.
I have to disagree. He is a fault. Ultimately, you are the only person who really should care about your own security. When you delegate that responsibility, you are still the one who made that choice.
I don’t think it’s fair to blame people for not understanding the subtleties of encrypted communication.

Everyone only has so much attention to give.

Having a mobile phone is necessary to securing employment, shelter and sustenance in many cases, yet somehow it’s an individuals fault for choosing to have a phone account when a pair of multibillion dollar companies breach that data through lax security practices?
Not unrealistic. I used to have a tail of all SMS texts running 24/7 and was required to grep for specific terms for certain agencies until they eventually had their own access. This was only SS7 based texts and was long before RCS existed. I could have saved it all to my workstation but knew better than to do that. Either way SS7 and text messages are very insecure.
(comment deleted)
Including all location metadata associated to that?
The reports said celltower-level location data associated with calls and texts (but not datestamps). That would allow inferring their homes, job location, commute, family members, social graph.
You can still recover that without timestamps. It also looks like if anyone interacted with an ATT customer or used an MVNO your data is in there too.
It even said land lines had their numbers in the data if an ATT customer contacted one.

Edit: I must have read that from a different article than the TFA though.

Yeah, all att customers, 2nd party participants and any other user of their network. Not just direct customers.
The real problem is that data needs to be deleted over time. There is not much of a use case for customers for go back last year and see who called them and obviously there are use cases like criminal investigations or spying. But customer has no power or ability to dictate how long their records are store and how they are used. Companies should provide tools and features to their customers empowering them with their data.
This isn't data for serving user needs, this is data for spying on users
Non-murder criminal offenses typically have very short statutes of limitations.

A lot of this could also be solved by encouraging the federal government to enforce federal privacy law as written more aggressively. A good incentive would be to amend the privacy statutes to permit the FTC to keep the funds extracted from settlements and penalties in-house. This would allow them to increase staffing and create a positive feedback loop to deter wrongdoing. This would have a negative effect on incumbent companies and practices, but it would not take long for the message to get across and for practices to change accordingly.

Congress tends to prefer keeping agencies on its own budgetary string which paradoxically limits what the agencies are capable of doing. The laws that we think protect us do not protect us because many of them are within the exclusive jurisdiction of a federal agency with very limited powers and funds. In the US the leadership likes to create the illusion that it has made "Bad Problem" illegal by writing it into the law, but it does not like creating the conditions in which "Bad Problem" could be solved, whether it's because the tradeoffs involved are tough to contemplate or because keeping "Bad Problem" around as a visible enemy is clever politics.

> Non-murder criminal offenses typically have very short statutes of limitations.

There's a hidden assumption here. The expectation is that data retention and potential privacy violations are a necessary evil because anyone may later be under investigation for a crime. The data could go uncollected, it isn't AT&Ts job to retain private information on all of us just in case an investigator wants it.

Take telecoms out of it and consider a convenience store. Police would like to have video recordings of whatever moment in time they are investigating, but that doesn't mean the video has to be recorded and retained. A shop owner can choose to record videos and only retain them for a week if they want, or they can have cameras installed but not even recording if they're okay with just the effect of deterrence.

Many civil claims have short statutes of limitation as well. It's not really that good for these companies to maintain regular business records going back to infinity that are subject to discovery in disputes that are not even related to anything the telecom company did. Complying with the discovery requests and subpoenas is expensive. The fetish for the somewhat imagined benefits of big data creates open-ended liabilities for these companies. But the pressure that law enforcement and the spy agencies put on the telecom companies to facilitate this has been an open secret for a long time now.

A lot of this is on the federal government and Congress for leaving an area in which it has power dormant and within its relatively exclusive control. Thanks for the conversation.

(comment deleted)
That's another bandaid. The root cause is customer data collection mandated by outdated regulation. People should be able to digitally sign or provide a public key for their personal information without providing the raw text to 3rd parties. Various 1970's style government tax and regulatory rules need to be updated as well.
They have a financial incentive to never delete your data. Storing old data forever creates a perfect paper trail to sell to advertisers and perfect the shadow profile they keep on all of us.

I agree that deleting all your data after a year makes sense practically, but they'll never do it because it makes them too much money to keep it around.

Ongoing fallout from the Snowflake compromise; AT&T knew on Apr 19 but only disclosed now (Why does this not fall under SOX violation with the obligation to report timely to affected parties? It has affected AT&T's stock price -3% in early trading, so shouldn't it have also required SEC disclosure?)

- Records downloaded from Snowflake cloud platform

- AT&T will notify 110 million AT&T customers

- Compromised data includes customer phone numbers, metadata (but not actual content or timestamp of calls and messages), and location-related data. Not SSNs or DOBs. Mostly during a six-month period 5/1-10/31/2022, but more recent records from 1/2/2023 for a smaller but unspecified number of customers. TechCrunch report has more details including Mandiant's response, the name and suspects location of the cybercriminal group

I wonder if Congress manages to summon TikTok-like levels of anger on regulating this one.

> Snowflake blamed the data thefts on its customers for not using multi-factor authentication to secure their Snowflake accounts, a security feature that the cloud data giant did not enforce or require its customers to use.

So AT&T put all our call information somewhere and hid it probably behind a weak password with no additional factors. IMO that's actionable negligence and I hope they get sued to oblivion.

I'm more stunned that AT&T knew back on Apr 19 [UPDATE: Mar 20] yet feels it had neither an SOX violation or SEC obligation (share price effect) to notify timely. Like, by Apr 22. Not three months later [UPDATE: 4 months later].

Remember the massive Yahoo 2014 hack which Yahoo management failed to notify its own users for 2 years?

If SOX violation only literally covers users' own passwords getting breached, but not 2FA or other passwords to access the same data, will Congress amend it urgently?

EDIT: apparently they're hiding behind the 3/20 disclosure [0] which is all they disclosed until [1],[2] today.

[0]: March 30, 2024 - "AT&T Addresses Recent Data Set Released on the Dark Web" https://about.att.com/story/2024/addressing-data-set-release...

> "AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web; source is still being assessed...

> "AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the data set appears to be from 2019 or earlier [incorrect], impacting... approx 7.6m current and 65.4m former AT&T account holders"*

> "Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set.... As of today, this incident has not had a material impact on AT&T’s operations."* [but did it have a material impact on the customers/ex-customers?!]

[1]: Jul 12, 2024 - "AT&T Addresses Recent Incidents Regarding Access to Data" https://about.att.com/pages/data-incident.html

[2]: Jul 12, 2024 - "AT&T Addresses Illegal Download of Customer Data" https://about.att.com/story/2024/addressing-illegal-download...

> "Based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of customers of [AT&T’s cellular and (MVNOs) using AT&T’s wireless network], as well as AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022 - October 31, 2022. The compromised data also includes records from January 2, 2023, for a very small number of customers. The records identify the telephone numbers an AT&T or MVNO cellular number interacted with during these periods. For a subset of records, one or more cell site identification number(s) associated with the interactions are also included."

Subsequent reporting reveals that the DOJ ordered two ~month-long "delay periods" in disclosure:

> The Justice Department determined on May 9 and again on June 5 that a delay in providing public disclosure was warranted, so the company is now timely filing the report.

> The company [AT&T] is working with law enforcement and believes at least one person has been apprehended, according to the filing. It does not expect the event to have a material impact on its financials.

MarketWatch: [https://www.marketwatch.com/story/at-ts-stock-slides-2-9-aft...]

According to CNN:

“The company said the US Department of Justice Department determined in May and in June that a delay in public disclosure was warranted. It’s not clear why that the US government requested that data be delayed. CNN has reached out to the Justice Department for comment.”

May 16 Dow Jones Industrial Average surpasses 40,000 points for the first time, before closing at 39,869.

public disclosure of a cataclysmic security breach in a darling of the stock market could have significant repercussions.

(comment deleted)
It definitely included SSNs for some of them.

Source: me. My data was included in the leak and it included my SSN. It’s been a cluster fuck of a cleanup.

My SIN number has been leaked no less than 4 times tied to basically every standard identifying question about me now, if that helps ease your worry.

I guess the new methodology is that a company cannot be sued if they just all leak data, that way nobody knows which one is responsible for your identity theft.

How has Snowflake felt ANY recourse for being the source of all of these hacks?
The dark web and info stealing malware are the source of the hacks.

My worry is not only that consumers get numb to breaches, but they consume rampant misinformation and have no idea how to hold appropriate parties accountable.

How many times have you held AWS accountable for stolen access keys?

Was it AWS fault when rabbit leaked their own keys?

Is it snowflakes fault when you lose your creds to infostealing malware?

How should snowflake enforce mfa on machine service account credentials?

The answers are no, no, and they can not possibly. Not even hyperscalers have this magic.

Eh, iirc the source of the hack was just regular stealers like Redline, not "the dark web".

It was actually Snowflakes fault.

The threat actors were able to find a test/demo account they could log into and from there they were able to access prod things they shouldnt have.

This is exactly the kind of comment I'm talking about. You have not read anything from snowflake, mandiant or crowdstrike on this, and you haven't even read the cnn article that has snowflakes response on this. The snowflake demo account has nothing to do with it.
No, its what happened 100%. Funnily enough, its YOU who hasnt read anything.

https://cloud.google.com/blog/topics/threat-intelligence/unc...

"In April 2024, Mandiant received threat intelligence on database records that were subsequently determined to have originated from a victim’s Snowflake instance. Mandiant notified the victim, who then engaged Mandiant to investigate suspected data theft involving their Snowflake instance. During this investigation, Mandiant determined that the organization’s Snowflake instance had been compromised by a threat actor using credentials previously stolen via infostealer malware. The threat actor used these stolen credentials to access the customer’s Snowflake instance and ultimately exfiltrate valuable data. At the time of the compromise, the account did not have multi-factor authentication (MFA) enabled."

https://www.symmetry-systems.com/blog/what-we-know-so-far-ab...

"Snowflake has confirmed that a threat actor obtained credentials of a single former employee and accessed demo accounts they had access to. Snowflake asserts these accounts contained no “sensitive” data and were isolated from production and corporate systems. However, unlike Snowflake’s core systems, which are protected by Okta and Multi-Factor Authentication (MFA), these dormant demo accounts lacked such safeguards. "

> Snowflake blamed the data thefts on its customers for not using multi-factor authentication to secure their Snowflake accounts
its not Snowflake's fault their customers used weak passwords and no MFA. Not enforcing MFA does merit some blame on Snowflake, however, I still think its on the customer to secure your own environment.
Snowflake is saying they knew of unusual activity "around mid-April 2024", confirmed "May 23, 2024", around which time they made MFA mandatory (although their customer AT&T say they knew of the breach "Mar 20"; these timelines keep shifting back):

"Mandatory MFA option unveiled by Snowflake" - Jul 11, 2024 https://www.scmagazine.com/brief/mandatory-mfa-option-unveil...

> "US cloud storage firm Snowflake has already required the implementation of multi-factor authentication across all user accounts a month following the widespread breach of customer accounts, including those of Ticketmaster and Santander Bank, reports The Register."

It's not mandatory, I still have Snowflake user accounts that don't use MFA.
"Mandatory MFA option unveiled by Snowflake" sounds like they made it an option for an organization to decide to make MFA mandatory within that organization. But that conflicts with TheRegister headline - Snowflake's PR machine seems to be in overdrive.
It's industry standard to enforce MFA for customers of such sensitive data though. There's always going to be weak links.
Right. Snowflake facilitated AT&T'S abject negligence, but ultimately the buck stops with AT&T, here.
(comment deleted)
Totally, way too many people are trying to blame snowflake.

ATT is a technology infrastructure company. Secure transmission of data is one of their core business competencies (theoretically). They are a corporation that we trust to handle incredibly sensitive info. Call records are, in fact, incredibly sensitive data.

They should be telling Snowflake what best practices to be using, not the other way around!

AT&T and phone carriers in general are not technology companies. They are infrastructure companies that purchase off-the-shelf communication technology, slap a billing system on top, and then spend most of their time on operations (finding places to put towers, keeping the gear up and running) and marketing. The security component of communications isn't built by them, but by the equipment manufacturers that they purchase from. There are no strong penalties for involuntary data leaks - why would they do more?
ATT has a rich history of being a technology company. They invented UNIX! That's in the past, fair enough.

So they used to develop cutting edge technology, they sell technology, they buy technology, they operate technology, they work with manufacturers to develop new technology, they operate the infrastructure underpinning the modern technology economy, but they aren't a technology company?

Even if you want to argue that they aren't a technology company, they sure spend enough time doing everything a technology company does to hold them accountable for their technology failures.

> They invented UNIX!

They also invented the transistor, C, the photovoltaic cell, radio astronomy, and … the telephone. ;)

Yes that’s the past, but AT&T labs still employs almost two thousand people. It’s very funny to try to claim AT&T isn’t a technology company and only peddles services on top of equipment made by others.

The company called AT&T now and the company called AT&T that invented Unix have really nothing in common but a thin stretch of history by now. The technology development units of AT&T were split off into Lucent a long time ago.

Calling AT&T a tech company because they operate technological infrastructure is like calling Spirit Airlines an aerospace technology company because they operate jet airplanes.

It’s unclear what you’re arguing. That AT&T isn’t capable of securing customer data, and we shouldn’t expect that of them? That they shouldn’t be held liable?

If they don’t have the core competency, they need to obtain it as a requirement of doing business.

> The security component of communications isn’t built by them

Are you claiming AT&T outsourced security and have contracts to back that up? Buying security equipment surely doesn’t amount to having security, that would be hilariously naïve. Equipment manufactures are not responsible for AT&T’s data security, AT&T is. There are laws around security that can hold AT&T liable, in the US and Europe and elsewhere. Whether they will hold the company liable is another question, but these laws will not accept an excuse that AT&T purchased security equipment from another company.

I claim that these companies do not have a particularly high amount of in-house infosec know-how and outsource a lot of it, not necessarily just in terms of buying equipment, but also the service component of how to set up business practices in a secure way. It doesn't absolve them of their failures but I'm no less surprised in AT&T failing to protect data than I would be McDonald's.
> Totally, way too many people are trying to blame snowflake.

Well the _actual_ compromise started from one of their employees, so it's pretty unsurprising that they're getting (some of) the blame.

Ahh. The linked article didn't have that detail.

They attributed it to a lack of 2FA

AT&T is a real-estate company that coincidentally sells telecommunications services. My wife used to work for them and given what she's told me I would never in a million years do any business with them intentionally.
I feel like this would be true if ONE customer was hacked. At this point it's more than a handful. AND snowflake knew about it.

If all the lockboxes in a bank get broken into, is it respectable to say "ah all of the customers should have used better locks"? The bank is the party who is supposed to be giving the insight into secure storage. They're not just renting space.

The Mandiant report said that some Snowflake customers declined to use MFA AND had passwords in place for 4+ years[1]. Maybe Snowflake should have pushed for MFA harder but at the end of the day, this is AT&T's fault.

[1] https://cloud.google.com/blog/topics/threat-intelligence/unc...

I'd say the blame lies halfway between AT&T and Snowflake. If you let your customers have poor security practices, and you have the power to ensure a heightened security level, you're also partly to blame...
Snowflake also made it hard to have good practices, giving them further culpability. There was no setting for customers to force their entire tenant to enforce MFA. Customers had to depend on each person with access to do the right thing, something that is unlikely to be universally true.
Non-expiring passwords is probably no more or less secure, unless you are a rampantly terrible employer known for setting ablaze every bridge ever to the point of atomic annihilation.
Are you suggesting a disgruntled former employee could use the password and do things? At that point, I have questions. How is the former employee accessing the cloud service? If your cloud is allowing public access without a VPN, then you've done something wrong there. If the former employee is still accessing your VPN, again, you've done something wrong. Many other things still come to mind but point back to you well before password rotation rules.
Yeah. I agree. We have a strong offboarding process as well. But other employers? I mean. I’ve seen some shit in my day.
> AT&T blamed an “illegal download” on a third-party cloud platform

WTF does this even mean?

The cloud employees downloaded it? If its so sensitive, why wouldn't this be heavily e2e encrypted?

This is related to the snowflake breach. Snowflake is blaming customers for not enabling MFA.
Looks like more than enough blame to go around. Not enabling MFA is pretty egregious by ATT. Snowflake creating a platform where such a high consequence mistake is apparently easy to make, and obviously without sufficient compensating controls to detect or limit impact of such a single point of failure. That's egregious too.
Consumers are so numb to data breaches that these events now bring very little outrage. I think without that anger from the consumer, there's little incentive for companies to do more to stop data breaches from happening.
Well it's starting to feel like data privacy just doesn't exist anymore. I don't know why administrators for big customer databases even bother setting passwords these days.
My mother was concerned that some of her information, and mine, leaked because she signed up for another bank account from a place she decided she didn't trust. She said she wasn't worried about the money being stolen, but she was worried about our identities being stolen.

My concern was the complete opposite - I assume that my social security number and address are already for sale for a fraction of a cent somewhere, bundled with 10,000 other identities. But if money gets stolen, that's a whole rigamarole, with banks wringing their hands and saying "identity theft" as if that clears them from any responsibility.

As a nobody, I keep wanting a financial product that is a black hole. Money can go in, but cannot come out without significant pain. Seven+ day waiting period, in person visit, physical mail verification, something, anything that means if I do get hacked my accounts are not drained in milliseconds.

When I need a legitimate large withdrawal, I can go through the required effort.

You can have a financial manager control your accounts for you and just keep a small checking account, (plus they'll help you grow your balances) but they're not free. Well, they're not free if you want them to be unbiased. Given, what's going to keep them from getting scammed? Maybe what you're looking for is several safe deposit boxes.
I still want my money invested into the economy. I just want Chase/Fidelity/etc to have an understanding that I am never going to withdraw money from these accounts without planning for it. So, “I” should never be authorized to drain the account at a moments notice without extensive approval. Anything to cause friction for would be scammers and only once-a-year (?) pain from me to triply confirm the money can move.
I don't have direct access to my long-term savings and retirement accounts— I have to go through my financial manager who'll works in a small, local firm, and so would anyone trying to impersonate me. He would probably recognize my voice, knows where I live and what's going on in my life, to whom I'm married, etc. because we have bi-annual check in meetings. He'd definitely contact me through his existing contact info if there was anything weird going on with one of my requests, especially if it involved a different address or account than he's used to dealing with. As anyone in that compliance-and-accuracy-focused line of work should be, he's very intent on making sure all of the Ts are crossed and Is are dotted. He charges a flat percentage of my modest retirement savings annually (I'm far behind most white collar workers my age, coming from a working class early adulthood) so he has a financial interest in my investments, and does a really solid job managing them. The accounts are in a large investment-focused bank which I believe only he can access. I think it's about as safe as you could get while still keeping your money active in the economy and not having a rich person's resources.
This already exists. Withdraw from account to physical cash. Proceed to stash cash in “secret” location.

Most businesses don’t even accept cash anymore. Can’t get “hacked” although it’s prone to many other issues — space, humidity, physical theft.

That sounds like the opposite of what OP wants, because that money can very easily come out, without any pain, and without you even being notified that it's been moved - unless you're re-implementing your own bank-level security, I guess.

For example, let's say you have $100k in savings. I think you would be absolutely bonkers to store that in some secret part of your (flammable! break-in-able!) house.

I guess you could put it in a safety deposit box, and if you needed to spend it in a non-cash way, you could walk it directly to the teller and deposit it and make it available? The equivalent of a cold wallet, I suppose.

> Most businesses don’t even accept cash anymore.

Really? I've been using cash almost exclusively for the past several months and haven't had any real problems. Sure, the overpriced hipster vegan Thai place in the McMall district may not take cash, but the family-owned ramen restaurant a couple miles down the road is more than happy to do so. Personally I find the "won't take cash" attribute to be a strong indicator that the business isn't worth supporting.

I've encountered nearly no businesses that don't accept cash and I pay with cash all the time. The lower-income end of the working class makes up a huge percentage of our economy, and it's an extremely cash-centric demographic. But even then, I've got a friend who sells fine handmade jewelry and some folks came in and bought like a 30k piece from her in cash because they owned a cash-only business. I can't imagine anyone existing outside of a ultra-gentrified corporate enclave that would encounter nearly any businesses that don't accept cash, let alone most. Maybe they just never see anyone use cash because they're not in a socioeconomic segment where it's still the standard?
If you have at least a fraud watch on your credit which means creditors are supposed to call you on the number they have listed before they open new accounts, then the money is arguably worth protecting more. But if you think it's tough to convince the bank with which you have an existing relationship that you didn't make some withdrawals, imagine trying to convince a bank you've never heard of that you didn't actually approve a loan for 3 Cadillac Escalade Platinums which neither you nor the bank realize are currently in a shipping container on their way to Abu Dabi.

(Nothing against Abu Dabi— I just picked a random place not under US jurisdiction where plenty of people have Escalade Platinum money.)

I often choose Abu Dhabi as an "example destination", because that's where Garfield kept mailing Nermal in the comics.
Classic Mitchell and Webb skit[0]:

Bank: "No, you see it was your identity that they stole!"

Customer: "Well I don't know because I seem to have my identity whereas you seem to have lost several thousands of dollars. I'm not clear why you think it's my identity that was stolen rather than your money."

0: https://www.youtube.com/watch?v=CS9ptA3Ya9E

And why didn't they do anything when we WERE angry?
I think many companies think they can solve this issue by throwing money at their cyber security teams. It just happens that cyber security teams are often ineffective.
How could they? Everything related to computers is designed to exfiltrate data nowadays.
Maybe this is how it is at some places, but in my experience, it is not the case. I have friends who have worked in cyber-security for Fortune 500 companies and almost all of those companies would short-change (or outright ignore) the recommended spend and suggestions of their cyber-security employees, contractors, and advisors.

Where are you getting your information from? The levels of security negligence I hear about aren't even a big ask. Huge companies neglect to do basic things like "don't store your passwords in plain text" or "make sure you salt and hash your passwords".

I don't think it's fair to say cyber security teams are failing if companies are blatantly doing the worst and most obviously wrong things on the daily at the highest levels.

It's hard for a CyberSecurity team to be effective when the Execs keep failing the phishing tests and IT does not have the authority to fire them for it.
I've seen this so many times. I've seen instances where the execs/managers demanded it was turned off for them, and it was. 75% of the security I've seen at companies is pure theater so they can check the boxes for their insurance.
Good security researchers easily command a $500,000 compensation package per year (cost to companies higher due to benefits like health insurance). When you show the market comp of good cyber security researchers to execs, suddenly they decide that they only have the budget to hire incompetent people.

Good cyber security people are expensive because they are highly skilled: they typically need to have been a software engineer to understand software architectures and have intuition about them, have spent significant time sharpening their skills at hacking by participating in CTFs, and have probably also spent significant time doing reverse engineering and have a few CVEs attributed to them. (Why are these skills needed? Because they are the skills needed by the red team. Every company that takes cyber security seriously will have a red team.) Now tell me whether these people are worth $500,000 per year.

After Equifax debacle, I don’t think anyone cares. It’ll only be a big deal if there’s a huge B2B leak and business-critical data gets exposed, other than the usual name, address and phone number.
I'm still upset the government hasn't started work on a new national ID program after the Equifax breach. The SSN is not a suitable ID number in this day and age. We need something better that can withstand these kind of things without screwing people for life. My credit will be frozen for the rest of my life, and everyone else should do the same.
This is it for me tbh. Yeah I don't want my identity stolen and I'm still careful but after Equifax I just assume everyone already has my data so all of these data breaches are meaningless to me at this point. It sucks and it makes me mad but all I can do is shake my fist and wish these companies would be better anyway, so what else can I do but just be ok with it?
It's not that simple. This time, phone records and location data are stolen. These are more sensitive than the stolen data from typical data breaches.
AT&T is a public company. Public company needs to get fined appropriately.

Start issuing multi billion dollar fines for these breaches and suddenly companies are invested in security.

Unfortunately with government agencies getting defanged as part of recent SCOTUS ruling, it’s likely not possible.

Have to rely on civil court to issue fines now (ie, class action lawsuits).

(comment deleted)
And this is yet another reason why I use signal
Do you exclusively use signal? Do your friends also use signal? Do you have friends who only use signal to communucate with you?
Yes.
Aside from a couple non-US friends, I know no one in the US who uses anything other than straight SMS (and Apple iMessage). I'm sure they exist but certainly not in the circle of people I communicate with.
There's definitely different circles in the US. My circle of friends and family is on Whatsapp. More than 99% of my communications would be through WhatsApp.
Everyone I know in the US uses either iMessage or Whatsapp. No one I know uses MMS.
Everyone I know uses signal. Different people really are different.
For whatever reason, chat seems to definitely encourage tribalism. The last company I worked for eventually bought into Slack because so many people WOULD NOT use anything else while a lot of us were like "ANOTHER chat app??" because we were perfectly happy with Gchat which we had as part of Google Workplace.

I know there are some historical reasons for non-SMS because of text pricing outside the US but everyone I know in the US would look at you funny if you wanted to use some special app for texting.

iMessage is very much a US thing. Most of the Non US people or people with international connection exclusively use messaging App ( whatsapp, Telegram, Signal)
do you have friends in plural?
I've gotten everyone from my in laws to my co workers on signal.

>I can share baby pictures without them being stored in google forever.

>We can organize whose bringing the coke without leaving a paper trail that lasts forever.

Do you make it like a fun game? Like when me and my friends in school would pass eachother coded notes and the cipher was an inside joke?

I'm genuinely curious: what was the pitch that you used to get others to start using signal?

Not all my friends switched, I had one good friend who decided not to because she already had a bunch of apps and didn't just want to talk to me on yet another app.

It's much easier when it's a group. I got some of my family to get on it too and they pretty much exclusively use it to talk to me.

In the mid 2010s it wasn't that hard of a call because the various Google apps kept getting deprecated (we were all in hangouts before), iPhone users wanted something rcs like and they couldn't for android users with mms, in general the app scene was taking off with Snapchat wechat etc. so people were easier to convince to dl it.

My pitch was 'you know how randomly Facebook or YouTube will serve you some adds about something you were talking about about, even though you didn't search with them? You're much less likely to have that happen with signal'

Then if they pressed I'd share a link from the net neutrality fight days about DNS hijacking etc and having them remember when all their failed urls would go to an ISP run search domain

I definitely used some FUD but it worked.

Actually I think some of the FUD was 'what if the carrier gets hacked?'.... Which, I mean for all carriers and all systems is just a matter of time. As t-> inf the probability of a breach converges to 1.

Also if any of your friends do drugs, of any sort, that was a great motivator for them to switch lol. Weed has only been legal for recreational since 2013 in any state.

Oh, and pretty much every techie friend I had went 'yo that's awesome' and changed over, even if they don't have a tech job.

Finally, back in the day/for many years, signal could default to normal MMS messaging, so the pitch was 'if they don't have signal, you can just text like normal'

I am working on this with mine, but even Signal is too weaksauce in my book. Ownerless (and ideally decentralized) p2p chat is what I am after. If everyone in my group used Android then it'd be Briar or Cwtch hands down for primary text/picture msg and SimpleX or Session or Jami as voice/video call and backup. Because there's an iphone upsetting everything that scratches Briar and Cwtch, so it's SimpleX reinforced with Orbot on my group's menu currently and it seems to work reliably. Session has terrible notification delays when in the background, they use the [IMO] boneheaded send-on-select abstraction within the selection gallery when attaching an image on their Android app (oh and your unsent typed text is wiped). Very unprofessional, needs a bottom-up redesign for its interface. Really has that everyone quit feel to it.
Do you make it like a fun game? Like when me and my friends in school would pass eachother coded notes and the cipher was an inside joke?

I'm genuinely curious: what was the pitch that you used to get others to start using signal?

Never signal because signal is bad on requiring too much metadata (your number). It was Session for a while but since SimpleX can be hardened with Orbot (or Tor on PC) and it was way more notifications-reliable, we switched. I would much prefer Briar or even Cwtch but an iphone in the group ruins that party.

Otherwise to answer your question it is a bit of a game. I also like to remind them how, being creeped out by Aunt Matilda putting microphones and keyloggers all over, at least Aunt Matilda [most likely] has better interests for you at heart. GOOG/AAPL/MSFT have no such kinship connection yet they are surveilling in precisely the same ways. That was a decade ago, now add in the Universal Function Approximators! *Demo stable-diffusion.* *Demo lm-studio.* *Present to them a performance of Orwell's 1984.* *Show them a few documentaries on social control.* "See? Now would you like to try it?"

Unironically yes. I'm in a bunch of different group chats with little overlap in signal. There was a huge push amongst my friend group to get people on it back in like 2015. I have some family not on it but we just talk in person.

Not everyone switched, but a surprising amount did, and only more have switched over time.

I hope you didn't sign-up for Signal with an AT&T-tied phone number. Else this breach would've probably exposed your PII either way.
I did not, and even then, none of my call logs or texts via signal would have been included, regardless of carrier.
This is the kind of breach that really should be company-ending, but will sadly instead likely result in a slap on the wrist.

It is high time for the US to have a privacy law with real teeth, and to enforce it with vigour.

Class-action suit sounds reasonable, but sadly those never give penalties in right ballpark. Here it should be hundreds to thousands at least per affected customer.

But my guess it is few tens of cents, if that... While lawyer will get nice couple million pop...

Or maybe it's time to turn software engineering into an actual engineering profession. If the people responsible for designing and maintaining the AT&T system were "real" engineers, they could be sued for malpractice or even lose their license to practice.
Do you really think that requiring 4-year degrees and passing a licensing exam would make a big difference? The fact is that, outside of civil engineering which involves a lot of dealing with regulatory agencies, most engineers in the US don't have PEs. I started on the path to get one because, had I stayed on my initial career path, I'd have been sending blueprints etc. to regulatory agencies but I ended up changing careers.
No, what will make the difference is being personally liable for the vulnerabilities you introduce.

Not the company. You.

How many individual engineers do you suppose get prosecuted for making errors--even careless ones? I'm guessing very few in the West. And I'm not even sure lopping off a head here and there to encourage the others is even a good idea.
> How many individual engineers do you suppose get prosecuted for making errors--even careless ones?

Not many but is that because they don't get sued or because professionals who face consequences for negligence make fewer stupid decisions?

I would assume that engineers, at least in the US, are far more concerned about getting fired/eased out than prosecuted if they do stupid things given that companies can do so pretty easily.
Would you say the same is true for a lawyer? Are they more worried about being fired from a law firm than being sued for malpractice and being disbarred? If not, why would engineers be different?
I would assume that being disbarred has a pretty high standard of misconduct as opposed to simply not making partner or whatever level of action makes maintaining employment at a large law firm practical.
Look at Sarbanes-Oxley for precedent. Management has to be made liable for sufficient cultural shift to occur.
Snowflake still works though. What civil engineer has been sued because somebody jumped off their bridge? You get sued when the bridge collapses not when somebody uses it for an unintended action.
The root cause is not whether engineers are licensed (I'm fine with that idea, but it's not going to resolve this specific problem). Instead, it is a culture of not caring about security because the fines are a cost of doing business is, and which comes from management, and treating personal information as an asset instead of a liability.

A Sarbanes-Oxley style law that makes the CEO personally criminally responsible for breaches will be vastly more effective than pursuing individual engineers - many of whom will be on the types of visa where they have no effective route of pushback on orders anyway.

When a doctor is negligent, their employer is often also sued if it can be shown that it knew shenanigans were underway and did nothing.

We shouldn't choose between holding engineers or executives responsible. Each should be held responsible for their part.

Indeed - but we should start at the place likely to actually make a difference: the executives.
So where/what is my compensation? (I know there is no recourse).

When no one is on the hook for secure practices, like enabling MFA on your effin data stores that contain massive amounts of customer PII, this is the result. Not even an apology, just report it and move on. woops! those gosh darned cyber criminals.

If you go to court and ask for compensation you would likely be asked to show harm. Could you?
It really doesn’t matter. Compensation has been dispensed to customers in data breaches such as credit/ssn info, no harm proof needed. Potential for harm is enough. Breach of contract, as a customer do I have a reasonable expectation that this data is not exposed? of course I do. No one could very seriously argue it’s a zero sum.
Is there no harm, or is there harm that is hard to show in court?
A bit of both.

Most people aren't going to have their identity stolen (or insert w/e crime). Those that do will have trouble proving it was from this leak.

I've received checks over the years for various things like this. You end up having to fill out a claim form and then wait about 5 years and one day, you get this check in the mail for some tiny amount of money.
> In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages — such as who contacted who by phone or text — during a six-month period between May 1, 2022 and October 31, 2022.

AT&T customer? Prepare for phone calls / text messages from your most frequent contacts saying "I got stranded / I'm Officer Blahblahman helping your friend get home... please send gift card / venmo"

It's only metadata...

I guess everyone is going to learn what Snowden was worried about the hard way now. I imagine there's going to be extortion attempts over calls to abortion clinics etc.
Among other things. The data's mostly from May-Oct 2022.
I just realized this is going to fvck my call blocking strategy up: now creditors will have a bank of known good numbers to spoof into my whitelist with! :^O
(comment deleted)
So, AT&T wasn’t using MFA?

A lot of information can be derived from analysis of call records. If this information becomes public, it could be disastrous.

> If this information becomes public, it could be disastrous.

Isn't it even worse if it doesn't become public? It's been downloaded by an unauthorized party after all, so if they're not publishing the data, I'd wager they've found another way to profit from it. I.e. blackmail or similar.

I guess it depends on your viewpoint wherever that's better or worse.

It's interesting when you have these old, large, sprawling bureaucratic organizations and the employees hardly give a sh!t anymore and allow for these large vulnerabilities. It's not a money issue, it's a caring issue I think.
Our economic system is at odds with security because we're trying to "get by" as cheap as possible. That doesn't bode well for protection of users' data.
During the last decade, ATT’s leaders decided to burn tens of billions of dollars by overpaying for obviated businesses like DirecTV and Time Warner.

I can only imagine the quality of mobile and fiber networking we could have had if that money was spent on telecommunications. And maybe they would have spent a few million on having proper security.

Not only that they blew $8 billion/year on dividends that could've gone into the business or to employees instead of being extracted and given to people who have nothing to do with the business.
When people invest in a business, whether it be your sibling’s business, or a local business, or a publicly traded business, they do it because they expect a return on investment.

An infrastructure utility such as ATT typically has to offer dividends because it is not going to experience the type of growth that would result in a return via share price increase.

Of course, ATT’s prices are not regulated like a proper utility, even though they should be, but it is still subject to the same market forces that prevent it from growing like a tech company would, who would have the option of foregoing dividends (or share buybacks).

Tangential, why did you/anybody spell "shit" like they are evading Tiktok language filters?
(comment deleted)
Why would AT&T even need to keep this data?

All i can think of is billing for a fraction of plans from the early 2000s who still pay per min/per text. Or maybe for capacity metrics but even then you only need the overall data point not the actual records once collaborated.

What's the US law for keeping data as long as its relevant and needed?

I am an ATT user and on a pixel which generally good at filtering spam messages. I have noticed I was getting so much spam messages recently ("wanna make money working remotely for x hours a day only") I was surprised and thought my number somehow made it to one of those spam networks. This confirms my suspicions.
(comment deleted)