return to table of content

AT&T says criminals stole phone records of 'nearly all' customers in data breach

jader201
28 replies
4h48m

I never got the impression that the market ever cares about data breaches. It seems most companies are rarely held financially responsible for data breaches anyway.

I would bet any effects you’re seeing in stocks is unrelated to this news.

graybeardhacker
11 replies
4h37m

I agree.

This is precisely why breaches keep happening and will keep happening. It cost money to implement security. There's no cost benefit to spending that time and money since there are no consequences.

Businesses do not spend money unless it will make them money or save them money.

There needs to be a hefty federal fine on a per-affected-user basis for data breaches. Also a federal fine for each day a breach is unreported.

That money should go into a pool which can be accessed by people who have their identity stolen.

ThunderSizzle
5 replies
4h34m

Or a lawsuit go through where someone can win quite a bit from from data leaks. If each person affected sued and won 100k or so, or even 1k, AT&T would definitely be spending money on security.

But it appears $5 or credit monitoring from an agency that also gets hacked is sufficient for class action lawsuits.

malcolmgreaves
4 replies
4h22m

That requires people to be rich enough to sue. It takes a lot of money and time to sue. Almost no one has enough resources to do this. The courts are not an effective way to implement this policy. Unless you only want rich people to be able to get justice.

CityOfThrowaway
2 replies
4h15m

110M people impacted = class action

The lawyers work on contingency

unixhero
0 replies
3h56m

Imagine the GDPR fine

pas
0 replies
1h58m

showing damages is hard

Borg3
0 replies
4h14m

And rich people usually do deals off-court. You will pay me this and we are ok. Because its faster and both sides know they capabilities usually.

cm2187
3 replies
3h46m

Most breaches are because of developper incompetence. Throwing money at it won't really help. You need better basic security skills.

slg
2 replies
2h26m

No two people are incompetent in exactly the same way. Hiring two developers to review each other's code leads to better code because they will often find problems that the other one didn't see. In a well managed organization (admittedly not a trivial caveat these days), more people working on security leads to better security.

cm2187
1 replies
1h31m

Certainly, but for instance no sane developer should concatenate a string in a sql query unless there is absolutely certainty the string is safe. This should be reflex, not a matter of money or time.

slg
0 replies
29m

People are alway going to make bad decisions. Sometimes that is out of a lack of experience or knowledge which can be fixed by better training (which also requires money). Other times it is out of apathy, laziness, or something else that can't be easily fixed. Either way, time and money can provide extra sets of eyes to find and fix those mistakes before they lead to a breach.

dboreham
0 replies
3h32m

It cost money to implement security.

Yes, but no amount of money will stop the data in a big database being stolen by someone sufficiently motivated to steal it. It's just bits on someone's disk.

The only true solution is to not create the database. But then what would all the data scientists and their MBA masters so with their time?

weezin
3 replies
4h9m

Really should be up to the government to fine these companies and pay out to those effected to disincentivize lax security standards.

kcmastrpc
1 replies
4h5m

How would such damages be assessed or proven?

Eisenstein
0 replies
3h45m

They would be assessed according to rules written by people who are skilled at writing such rules. The rules would be evaluated by looking at data over time and revised as needed by experts in the industry who are as neutral as possible, maybe with some feedback from the public. The courts exist for any contention regarding responsibility.

hodgesrm
0 replies
2h23m

Well, I guess we devs should also be looking at ourselves, then. A lot of the lax security comes from us collectively choosing to build applications using cloud services that talk to each other over the public internet. That pretty much describes the so-called "modern data stack."

rybosworld
3 replies
4h13m

There is some evidence that it does hurt stock prices:

https://www.comparitech.com/blog/information-security/data-b...

"Stocks of breached companies on average underperformed the NASDAQ by -3.2% in the six months after a breach disclosure"

That said, it's not clear what the long term impact is on stock price (if there is any).

teraflop
2 replies
3h37m

Unfortunately, that analysis seems to have made absolutely no attempt to check whether the results are statistically significant.

Pick 118 random companies at 118 random points in time. It's vanishingly unlikely that the average returns of that group will exactly track the NASDAQ returns over the following 60 days. It might underperform, or it might overperform. An underperformance of 3.2% could easily just be the result of random chance, and have nothing to do with data breaches.

jkaptur
1 replies
2h18m

My hypothesis would be that companies with poor operational practices are more likely to underperform the index and have data breaches - in other words, that the study confuses cause and effect.

This wouldn't be that hard to test. I suspect that the breached companies underperformed in the six months before the breach as well as the six months after.

Terr_
0 replies
22m

Also, events which are not "just" data-leaks but also interruptions or degradation in regular operations. I suspect investors may be more sensitive to those events and their fallout, and such events more likely to either be caused by bad-practice or to be somehow connected to data-leaks.

smcin
2 replies
4h39m

They are very much related to the news, that's precisely why I linked to the stock charts: AT&T was flat overnight but opened (9am ET) with a -2.6% spike down, but has been recovering since. Their press release appears to have been Friday 7am ET shortly before market open [https://about.att.com/story/2024/addressing-illegal-download...].

Also as corroboration here's MarketWatch: "AT&T’s stock slides 3% after company discloses hack of calls and texts" [https://www.marketwatch.com/story/at-ts-stock-slides-2-9-aft...]

soulofmischief
1 replies
4h4m

I'm not saying there's no way the stock pullback wasn't caused by the hack, but it's also important to note that MarketWatch article only establishes correlation, not causation.

seadan83
0 replies
2h12m

Most linked financial news is auto-generated and auto-correlated. Lots of "why did.." when nobody knows, and frankly there often is no why. Perhaps that was the day a retirement fund shifted money, who knows.

While this price movement is very well correlated, perhaps causal even, but marketwatch (and all similar bottom feeders that are just trying to make ad revenue), it's a case of a broken clock being right. Those financial news sites which link recent news to stocks, eg Yahoo, benzings, - those recent news headlines are just the same as ad tech now. It is noise.

omoikane
0 replies
1m

My reading is that the market thinks Snowflake takes the majority of the blame, and the content of the linked article seemed to suggest as much despite having only AT&T in the headline.

nashashmi
0 replies
3h41m

Insurance takes up a lot of the fallout from data breaches.

hodgesrm
0 replies
2h59m

I never got the impression that the market ever cares about data breaches. It seems most companies are rarely held financially responsible for data breaches anyway.

This might also explain why there's little visible effect on other cloud database services either. After all, the attack is pretty simple and potentially affects any cloud database that allows access from the Internet.

darby_nine
0 replies
3h40m

I'm certainly not going to defend negligence of data protection but it's extremely difficult to cost as a liability (naively, you might even consider it not a liability at all) without government oversight.

chung8123
0 replies
4h29m

I think they will care a lot more when it directly impacts them. If all their text conversations were publicly available that would cause some outrage.

xyst
0 replies
3h20m

It’s priced in.

John23832
23 replies
5h59m

How has Snowflake felt ANY recourse for being the source of all of these hacks?

Aaronstotle
13 replies
5h23m

its not Snowflake's fault their customers used weak passwords and no MFA. Not enforcing MFA does merit some blame on Snowflake, however, I still think its on the customer to secure your own environment.

dghlsakjg
8 replies
4h27m

Totally, way too many people are trying to blame snowflake.

ATT is a technology infrastructure company. Secure transmission of data is one of their core business competencies (theoretically). They are a corporation that we trust to handle incredibly sensitive info. Call records are, in fact, incredibly sensitive data.

They should be telling Snowflake what best practices to be using, not the other way around!

yyyfb
4 replies
4h16m

AT&T and phone carriers in general are not technology companies. They are infrastructure companies that purchase off-the-shelf communication technology, slap a billing system on top, and then spend most of their time on operations (finding places to put towers, keeping the gear up and running) and marketing. The security component of communications isn't built by them, but by the equipment manufacturers that they purchase from. There are no strong penalties for involuntary data leaks - why would they do more?

dghlsakjg
1 replies
3h49m

ATT has a rich history of being a technology company. They invented UNIX! That's in the past, fair enough.

So they used to develop cutting edge technology, they sell technology, they buy technology, they operate technology, they work with manufacturers to develop new technology, they operate the infrastructure underpinning the modern technology economy, but they aren't a technology company?

Even if you want to argue that they aren't a technology company, they sure spend enough time doing everything a technology company does to hold them accountable for their technology failures.

dahart
0 replies
3h27m

They invented UNIX!

They also invented the transistor, C, the photovoltaic cell, radio astronomy, and … the telephone. ;)

Yes that’s the past, but AT&T labs still employs almost two thousand people. It’s very funny to try to claim AT&T isn’t a technology company and only peddles services on top of equipment made by others.

metabagel
0 replies
3h46m

It’s unclear what you’re arguing. That AT&T isn’t capable of securing customer data, and we shouldn’t expect that of them? That they shouldn’t be held liable?

If they don’t have the core competency, they need to obtain it as a requirement of doing business.

dahart
0 replies
3h19m

The security component of communications isn’t built by them

Are you claiming AT&T outsourced security and have contracts to back that up? Buying security equipment surely doesn’t amount to having security, that would be hilariously naïve. Equipment manufactures are not responsible for AT&T’s data security, AT&T is. There are laws around security that can hold AT&T liable, in the US and Europe and elsewhere. Whether they will hold the company liable is another question, but these laws will not accept an excuse that AT&T purchased security equipment from another company.

disgruntledphd2
1 replies
3h40m

Totally, way too many people are trying to blame snowflake.

Well the _actual_ compromise started from one of their employees, so it's pretty unsurprising that they're getting (some of) the blame.

dghlsakjg
0 replies
3h3m

Ahh. The linked article didn't have that detail.

They attributed it to a lack of 2FA

throwway120385
0 replies
2h59m

AT&T is a real-estate company that coincidentally sells telecommunications services. My wife used to work for them and given what she's told me I would never in a million years do any business with them intentionally.

smcin
0 replies
5h9m

Snowflake is saying they knew of unusual activity "around mid-April 2024", confirmed "May 23, 2024", around which time they made MFA mandatory (although their customer AT&T say they knew of the breach "Mar 20"; these timelines keep shifting back):

"Mandatory MFA option unveiled by Snowflake" - Jul 11, 2024 https://www.scmagazine.com/brief/mandatory-mfa-option-unveil...

"US cloud storage firm Snowflake has already required the implementation of multi-factor authentication across all user accounts a month following the widespread breach of customer accounts, including those of Ticketmaster and Santander Bank, reports The Register."
mewpmewp2
0 replies
4h52m

It's industry standard to enforce MFA for customers of such sensitive data though. There's always going to be weak links.

chefandy
0 replies
4h48m

Right. Snowflake facilitated AT&T'S abject negligence, but ultimately the buck stops with AT&T, here.

John23832
0 replies
2h22m

I feel like this would be true if ONE customer was hacked. At this point it's more than a handful. AND snowflake knew about it.

If all the lockboxes in a bank get broken into, is it respectable to say "ah all of the customers should have used better locks"? The bank is the party who is supposed to be giving the insight into secure storage. They're not just renting space.

sickofparadox
4 replies
5h17m

The Mandiant report said that some Snowflake customers declined to use MFA AND had passwords in place for 4+ years[1]. Maybe Snowflake should have pushed for MFA harder but at the end of the day, this is AT&T's fault.

[1] https://cloud.google.com/blog/topics/threat-intelligence/unc...

wredue
1 replies
4h39m

Non-expiring passwords is probably no more or less secure, unless you are a rampantly terrible employer known for setting ablaze every bridge ever to the point of atomic annihilation.

dylan604
0 replies
4h11m

Are you suggesting a disgruntled former employee could use the password and do things? At that point, I have questions. How is the former employee accessing the cloud service? If your cloud is allowing public access without a VPN, then you've done something wrong there. If the former employee is still accessing your VPN, again, you've done something wrong. Many other things still come to mind but point back to you well before password rotation rules.

Ragnarork
1 replies
4h50m

I'd say the blame lies halfway between AT&T and Snowflake. If you let your customers have poor security practices, and you have the power to ensure a heightened security level, you're also partly to blame...

theluketaylor
0 replies
1h53m

Snowflake also made it hard to have good practices, giving them further culpability. There was no setting for customers to force their entire tenant to enforce MFA. Customers had to depend on each person with access to do the right thing, something that is unlikely to be universally true.

beardedwizard
2 replies
5h43m

The dark web and info stealing malware are the source of the hacks.

My worry is not only that consumers get numb to breaches, but they consume rampant misinformation and have no idea how to hold appropriate parties accountable.

How many times have you held AWS accountable for stolen access keys?

Was it AWS fault when rabbit leaked their own keys?

Is it snowflakes fault when you lose your creds to infostealing malware?

How should snowflake enforce mfa on machine service account credentials?

The answers are no, no, and they can not possibly. Not even hyperscalers have this magic.

edm0nd
1 replies
4h50m

Eh, iirc the source of the hack was just regular stealers like Redline, not "the dark web".

It was actually Snowflakes fault.

The threat actors were able to find a test/demo account they could log into and from there they were able to access prod things they shouldnt have.

beardedwizard
0 replies
2h28m

This is exactly the kind of comment I'm talking about. You have not read anything from snowflake, mandiant or crowdstrike on this, and you haven't even read the cnn article that has snowflakes response on this. The snowflake demo account has nothing to do with it.

taspeotis
0 replies
5h40m

Snowflake blamed the data thefts on its customers for not using multi-factor authentication to secure their Snowflake accounts
graybeardhacker
21 replies
4h31m

Freeze your credit people! It's super easy. It's not a perfect fix but it's so trivial to do and it will help.

https://www.usa.gov/credit-freeze

You can unfreeze through an app whenever you want/need to.

pavel_lishin
13 replies
4h27m

Is there any reason not to keep credit frozen permanently, only unfreezing it when you're making a large purchase that requires it?

troyvit
1 replies
4h19m

That's what I do. It also slows my roll. It's an extra step I have to take before making that large purchase or applying for anything that requires a credit check.

yelling_cat
0 replies
3h54m

It's an extra step, but a surprisingly simple one. When I opened a checking account recently the bank told me which credit agency they'd use, and I unfroze that account and ChexSystems (another credit agency you should freeze with that is used specifically for new bank accounts) in five minutes using their automated systems. You can supply a re-freeze date when unfreezing as well so you don't need to remember to do that manually once you're approved.

rqtwteye
1 replies
3h45m

That’s what I do. But it’s a little bit of pain to unfreeze your credit with three bureaus when you want a new credit card. Wish there was a way to do this in one place.

r3trohack3r
0 replies
2h48m

After the first time unfreezing, I put the website URL, unlock pins, and concise instructions for all 3 as a single note in my password vault.

Doing all 3 takes ~5minutes now - which can usually happen in parallel with whatever paperwork the vendor needs to get in order.

kodt
1 replies
3h36m

One interesting thing I ran into with frozen credit, is that you cannot sign up for USPS informed delivery without them running your credit as a method of address verification IIRC. If it is frozen the process gets stuck in limbo (at least it did many years ago when I ran into this situation)

golf1052
0 replies
1h50m

This is no longer the case. I signed up for Informed Delivery last year with frozen credit with no issues.

al_borland
1 replies
3h39m

This is how I have operated ever since the Equifax breach. Once that happened, none of the others seemed to matter, everything important for identity theft is out there.

I've had no problems. Someone will try to run my credit, it will fail, then I ask which one they're trying to use, and I unfreeze it for a day. Some of them have the option to unfreeze for a single pull with a 1 time code (if I remember correctly), but when I tried to use that the person trying to pull the report seemed clueless, so I had to do the 1 day unfreeze.

bee_rider
0 replies
20m

Credit is a weird ad-how system.

At some point, I wonder if folks will realize that having an unfrozen credit report is a sign of imprudence.

tnel77
0 replies
4h10m

It’s a great idea! I only unfreeze my credit for big purchases like buying a house or car.

noodlesUK
0 replies
4h21m

Unfortunately it isn’t an option in every country. In the U.S., you can freeze your credit for free, but in the UK, you can’t. I think we should get rid of the CRAs entirely, but that’s a conversation for another day.

lotsofpulp
0 replies
3h46m

I open credit cards for the bonuses frequently enough that freezing my credit would be more inconvenience than it’s worth.

Also, all the big bank websites seem to offer real time credit history monitoring for free, so I am betting I’ll just deal with any problem if/when they happen.

k4j8
0 replies
4h18m

Keeping your credit frozen permanently is a great idea. Some of the credit agencies even encourage this with features such as a temporary unfreeze of your credit for a few days/weeks and then back to the permanently frozen state.

david422
0 replies
3h50m

Yep. This is what I did after the first Experian data breach, for peace of mind. I am probably financially lucky enough that I don't need to constantly be checking or using my credit... but honestly it seems like this is what everyone needs to be doing.

zzyzxd
0 replies
3h2m

I keep my credit frozen all the time, but still keep getting alerts about new "no credit check" bank accounts from companies like chime.com. Then I give them my PII again just to verify and close those accounts, even though I don't have any business with them.

xyst
0 replies
3h33m

I typically don’t “freeze” my credit but do have a handful of services actively monitoring my credit for free (have been involved with many data breaches) and it’s included with my credit cards.

A credit freeze restricts access to your credit report

So if I freeze my credit, this will also deny access to the monitoring services AND financial institutions, right?

Side note: financial institutions often do “soft” credit pulls on active account holders to determine if they are eligible for credit limit increases. Have been growing my existing credit line for some time now without having to obtain additional credit cards. So far, close to $500K in unsecured credit.

Seems more like a nuclear option.

therealmocker
0 replies
2h34m

I couldn't find a reference to an app on the linked page, could you share more details on the app you use?

psadauskas
0 replies
3h33m

Fuck that. I'm gonna open a bunch of credit cards, buy a bunch of cool shit, and when they ask me to pay my bill, just say my identity was stolen.

If I have to fight the credit bureaus anyway, I might as well get something out of it. Stealing my own identity seems pretty straightforward.

neogodless
0 replies
38m

You can also freeze your non-credit banking:

https://www.chexsystems.com/security-freeze/place-freeze

It was recommended that I do this after a checking account was opened using my identity.

As others have stated, my default is "frozen." I put temporary thaws on when applying for credit, though in some cases, you'll be informed exactly which agency/agencies will be queried, and may not need to unfreeze all of them.

lfmunoz4
0 replies
2h47m

what app or website do you use? Seems like you have to sign up for all three websites? Equifax Experian TransUnion?

93po
0 replies
2h10m

I was unable to get any of the three to verify my identity last I did this, and one of the three has never once in my 15 years of trying to get my free credit report let me actually get it.

pylua
20 replies
4h50m

And earlier this year my ssn was on the dark web due to their leak (or vendor). One year of monitoring? No, I’m going to need it for life.

Security is not a concern. There is no real incentive to change the status quo. Make them pay for monitoring indefinitely .

ajsnigrutin
14 replies
4h37m

I never understood the american secrecy about SSN... it should be a "username" not a "password"...

In my country you can calculate our own national id (mix of date of birth, autoincreasing number by each birth that day + 1 checksum number), and if you do/have any kind of personal business, your personal tax number has to be written everywhere, on every receipt you hand out or anything you buy as a business.

Somehow knowing that first boy born today will have an ID number of 120702450001X (too lazy to calculate the checksum, but the algorithm is public), doesn't help anyone with anyting bad.

browningstreet
4 replies
4h24m

A lot of financial things in the US are “secured” or anchored by SSN, that’s the only reason why. That and mother’s maiden name and first vacation and other security questions. It’d be less important with MFA now but SSN is also needed when opening new credit, so having it allows you to pretty easily fake someone else’s identity for credit. KYC hasn’t removed it from the equation.

madcaptenor
1 replies
4h5m

"Mother's maiden name" won't work for my kids - my wife kept her name and the kids' last name is hyphenated, so you just have to guess whose name we put first.

AuryGlenz
0 replies
3h53m

It's also probably increasing easy to look up.

We need a national (preferably RFID-ish) password system.

athenot
1 replies
3h52m

One mitigation is to make your mother's maiden name the output of:

    head -c 20 /dev/random | base64
And keep track of the result in your favorite password manager.

Fortunately, fewer and fewer orgs are using security questions, but there are still some important ones that only use that and no MFA.

theluketaylor
0 replies
3h26m

The problem with that plan is social engineering attacks. CSRs are often careless and will accept 'a bunch of random letters and numbers' as the answer rather than validating each character.

Better to randomly select a long dictionary word or hypenate a few together. Equally unguessable but easily verified, so it won't be weakened during a phone conversation.

strangecharm2
1 replies
4h28m

This comment pops up every time someone talks about social security numbers. Yes, they were never supposed to be private, but now they are. So either Congress can do something about it, or big companies can stop leaking them. Clever "well, actually"s didn't stop my identity from being stolen recently after a breach, and they never will.

dboreham
0 replies
3h29m

They're not really private+, and nobody should design a system with the assumption that they are. afaik nobody does these days. There are extra authentication checks done in addition to simply "I have the SSN".

+ e.g. until very recently there were US states that used your SSN as your driver license number.

galdosdi
1 replies
3h37m

Somehow knowing that first boy born today will have an ID number of 120702450001X

It's even worse. Only post-2011 IIRC births have an algoirthmic SSN. So everyone over the age of 13 still has old fashioned sequential SSNs, where XXX-YY-ZZZZ is determined by

1) XXX is the code for the office that issues your card. Can be guessed precisely and accurately by knowing birth location. For example, I can guess what region of the US you were born in (or lived in when you immigrated) by the first digit. 0 or 1 is probably northeast. 4 or 5 is probably near Texas. 7 might be near Arkansas. Etc.

2) YY-ZZZZ is sequential by date! So by knowing just birth day, can be guessed to within a range. In practice, this means it's easy to guess YY alone, but harder to get all 4 digits of ZZZZ

3) For some stupid reason it got popular to print SSNs with all but the last four digits masked. This is horribly bad because those four are ACTUALLY THE MOST SECRET PART! It's the only part that might not be guessable. But since it's common to be more lax with securing them..... it is super easy to recover the full SSN if you find a piece of paper that says something like

JOHN SMITH

123 Main St

Alabama City, AL 76543

In ref acct: XXX-XX-1234 (2001-03-14)

Dear Mr Smith,

Your account is overdrawn. Have a nice day.

Thinking of you,

The Bank

It also means if someone is personally known to me, even vaguely, I may be able to reconstruct their social seeing nothing but a scrap of paper that has just the last four, if I can guess approximately where and when they were born or first entered the US. If I'm in a situation where I can try several guesses, it's even easier.

5555624
0 replies
2h41m

1) XXX is the code for the office that issues your card. Can be guessed precisely and accurately by knowing birth location.

While the first sentence is true, the second is only true if you were born after the mid-1980s, when a Reagan-era tax reform was enacted. (It required a SSN when claiming dependents.) Prior to that, most people did not get a SSN until they got a job.

dylan604
1 replies
4h19m

Even the US gov't gave up on the notion the SSN was not to be used as an identifier. My dad's SS card had a phrase printed on it saying so. My SS card did not have that text.

hermitdev
0 replies
3h20m

My SS card has that text. I got into an argument at the DMV when they asked for it. I relented because I needed my drivers license.

Congress could solve this by enacting a simple law. Something to the effect of SSNs shall not be used as a means of identification by any party, governmental or otherwise other than the Social Security Administration. Use of an SSN as identification shall be subject to a $100 fine per each SSN used as identification, per day.

galdosdi
0 replies
3h44m

It's because it happened gradually / naturally / semi un intentionally, because:

1) SSN was not intended as a national ID, but it so happened to fit the shape of one, in that almost everyone has one and they're unique.

2) It has never been possible to institute an intentional national ID system in the US for political reasons

That is the recipe for the problem we have now. Strong demand for a national ID from many business purposes, the existence of something that looks a lot like, but is an imperfect form of, national ID, and the refusal to create a proper national ID, has naturally led to a de facto system of abusing the SSN as a national ID and just kind of everyone being a little annoyed and sketched out about it but putting up with it anyway for lack of alternatives.

Incidentally, did you know anyone can generate a valid new EIN (which is a lot like an SSN, and can be used where an SSN can be used for some but not all purposes, specifically filing taxes and ) at this page https://www.irs.gov/businesses/small-businesses-self-employe... ? This isn't legal advice and I'm not a lawyer and I don't know in what situations you personally would be legally permitted to use this (it's meant for businesses, absolutely not some kind of personal alias) -- but technologically, it's just honor system, and anyone can certify they need and are entitled to a new EIN and the IRS web site will provide you with a new unique one. I don't think you even need a legal entity, since you don't need a legal entity to run a business in the US.

alistairSH
0 replies
3h46m

I never understood the american secrecy about SSN... it should be a "username" not a "password"...

The problem is banks/financial services do a piss-poor job validating identity when issuing credit/opening accounts. "Oh, you provided an address, a SSN, and [non-random, easily discoverable personal fact]! Sure, here's a CC with a $150k limit!"

It's not the leak that's the problem; it's the ease with which that leaked data is used to either obtain fraudulent credit or access accounts.

I don't have a good answer, because at some point, a financial institution needs to trust people to do business. Customer loses their phone, so MFA doesn't work, ok, now what? I guess the customer needs to have one-time use recovery tokens saved somewhere that can't be lost? How many people do that (not nearly enough)? How many banks even issue those tokens? And what if the token store gets hacked? Now you're really fucked.

ThunderSizzle
0 replies
4h29m

SSN is too public for it to be private or secret. Multiple employers, schools, medical institutions, financial institutions all ask for it, so it's not private.

It's also treated as evidence of who you are, but it isn't tied to identification like an ID is. These institutions use it without ever truly validating it.

It's similar to how records fraud can occur - people can record anything to the local registrar office, including fraudulent documents, without any checks. Once it's registered, it becomes evidence against the real owner. It's really messed up.

demondemidi
4 replies
4h28m

When I went to college in the late 80s my ssn was automatically used as my student id. When I got my first bank account in 1990, they used my ssn as the account number.

buildsjets
2 replies
3h56m

Our class grades with names snd SSNs were posted on the wall after exams in a list of hundreds of students.

Go Jackets.

xyst
0 replies
3h13m

I wonder if the schools actually verified the SSN.

Would have been dank to see 666-66-6666 next to your name

galdosdi
0 replies
3h49m

Ah it was a different time. Societal trust was greater. Without global internetification, the only people who could ever have any opportunity to exploit this information were your fellow campus denizens (students, professors, etc).

Without global internetification, there was not as much an average person could really do or would know to do with an SSN alone to exploit it.

This story is a good parable for so much of what has changed in the world the last couple decades -- we had a world built for less globalization, then we globalized, and we've been gradually adapting to / dealing with the unintended consequences since then.

A real life door can only be picked by your neighbors or anyone else nearby -- attack surface is limited by the nature of physical distance.

A virtual door can be picked at by 7 billion people.

mdavidn
0 replies
3h31m

My first big employer in the aughts had my SSN encoded in a bar code on the back of my company ID, which they expected us to display at the office.

rybosworld
16 replies
5h53m

Consumers are so numb to data breaches that these events now bring very little outrage. I think without that anger from the consumer, there's little incentive for companies to do more to stop data breaches from happening.

chefandy
8 replies
4h52m

Well it's starting to feel like data privacy just doesn't exist anymore. I don't know why administrators for big customer databases even bother setting passwords these days.

pavel_lishin
7 replies
4h25m

My mother was concerned that some of her information, and mine, leaked because she signed up for another bank account from a place she decided she didn't trust. She said she wasn't worried about the money being stolen, but she was worried about our identities being stolen.

My concern was the complete opposite - I assume that my social security number and address are already for sale for a fraction of a cent somewhere, bundled with 10,000 other identities. But if money gets stolen, that's a whole rigamarole, with banks wringing their hands and saying "identity theft" as if that clears them from any responsibility.

0cf8612b2e1e
4 replies
3h49m

As a nobody, I keep wanting a financial product that is a black hole. Money can go in, but cannot come out without significant pain. Seven+ day waiting period, in person visit, physical mail verification, something, anything that means if I do get hacked my accounts are not drained in milliseconds.

When I need a legitimate large withdrawal, I can go through the required effort.

xyst
1 replies
3h4m

This already exists. Withdraw from account to physical cash. Proceed to stash cash in “secret” location.

Most businesses don’t even accept cash anymore. Can’t get “hacked” although it’s prone to many other issues — space, humidity, physical theft.

pavel_lishin
0 replies
2h54m

That sounds like the opposite of what OP wants, because that money can very easily come out, without any pain, and without you even being notified that it's been moved - unless you're re-implementing your own bank-level security, I guess.

For example, let's say you have $100k in savings. I think you would be absolutely bonkers to store that in some secret part of your (flammable! break-in-able!) house.

I guess you could put it in a safety deposit box, and if you needed to spend it in a non-cash way, you could walk it directly to the teller and deposit it and make it available? The equivalent of a cold wallet, I suppose.

chefandy
1 replies
3h34m

You can have a financial manager control your accounts for you and just keep a small checking account, (plus they'll help you grow your balances) but they're not free. Well, they're not free if you want them to be unbiased. Given, what's going to keep them from getting scammed? Maybe what you're looking for is several safe deposit boxes.

0cf8612b2e1e
0 replies
46m

I still want my money invested into the economy. I just want Chase/Fidelity/etc to have an understanding that I am never going to withdraw money from these accounts without planning for it. So, “I” should never be authorized to drain the account at a moments notice without extensive approval. Anything to cause friction for would be scammers and only once-a-year (?) pain from me to triply confirm the money can move.

chefandy
1 replies
2h46m

If you have at least a fraud watch on your credit which means creditors are supposed to call you on the number they have listed before they open new accounts, then the money is arguably worth protecting more. But if you think it's tough to convince the bank with which you have an existing relationship that you didn't make some withdrawals, imagine trying to convince a bank you've never heard of that you didn't actually approve a loan for 3 Cadillac Escalade Platinums which neither you nor the bank realize are currently in a shipping container on their way to Abu Dabi.

(Nothing against Abu Dabi— I just picked a random place not under US jurisdiction where plenty of people have Escalade Platinum money.)

pavel_lishin
0 replies
1h35m

I often choose Abu Dhabi as an "example destination", because that's where Garfield kept mailing Nermal in the comics.

TeaBrain
2 replies
4h22m

I think many companies think they can solve this issue by throwing money at their cyber security teams. It just happens that cyber security teams are often ineffective.

softfalcon
0 replies
3h52m

Maybe this is how it is at some places, but in my experience, it is not the case. I have friends who have worked in cyber-security for Fortune 500 companies and almost all of those companies would short-change (or outright ignore) the recommended spend and suggestions of their cyber-security employees, contractors, and advisors.

Where are you getting your information from? The levels of security negligence I hear about aren't even a big ask. Huge companies neglect to do basic things like "don't store your passwords in plain text" or "make sure you salt and hash your passwords".

I don't think it's fair to say cyber security teams are failing if companies are blatantly doing the worst and most obviously wrong things on the daily at the highest levels.

marcosdumay
0 replies
4h4m

How could they? Everything related to computers is designed to exfiltrate data nowadays.

kredd
1 replies
3h46m

After Equifax debacle, I don’t think anyone cares. It’ll only be a big deal if there’s a huge B2B leak and business-critical data gets exposed, other than the usual name, address and phone number.

al_borland
0 replies
3h37m

I'm still upset the government hasn't started work on a new national ID program after the Equifax breach. The SSN is not a suitable ID number in this day and age. We need something better that can withstand these kind of things without screwing people for life. My credit will be frozen for the rest of my life, and everyone else should do the same.

xyst
0 replies
3h11m

AT&T is a public company. Public company needs to get fined appropriately.

Start issuing multi billion dollar fines for these breaches and suddenly companies are invested in security.

Unfortunately with government agencies getting defanged as part of recent SCOTUS ruling, it’s likely not possible.

Have to rely on civil court to issue fines now (ie, class action lawsuits).

strangecharm2
0 replies
4h30m

And why didn't they do anything when we WERE angry?

jen20
12 replies
5h51m

This is the kind of breach that really should be company-ending, but will sadly instead likely result in a slap on the wrist.

It is high time for the US to have a privacy law with real teeth, and to enforce it with vigour.

criddell
10 replies
4h40m

Or maybe it's time to turn software engineering into an actual engineering profession. If the people responsible for designing and maintaining the AT&T system were "real" engineers, they could be sued for malpractice or even lose their license to practice.

ghaff
5 replies
4h32m

Do you really think that requiring 4-year degrees and passing a licensing exam would make a big difference? The fact is that, outside of civil engineering which involves a lot of dealing with regulatory agencies, most engineers in the US don't have PEs. I started on the path to get one because, had I stayed on my initial career path, I'd have been sending blueprints etc. to regulatory agencies but I ended up changing careers.

acuozzo
4 replies
3h57m

No, what will make the difference is being personally liable for the vulnerabilities you introduce.

Not the company. You.

ghaff
2 replies
3h52m

How many individual engineers do you suppose get prosecuted for making errors--even careless ones? I'm guessing very few in the West. And I'm not even sure lopping off a head here and there to encourage the others is even a good idea.

criddell
1 replies
3h34m

How many individual engineers do you suppose get prosecuted for making errors--even careless ones?

Not many but is that because they don't get sued or because professionals who face consequences for negligence make fewer stupid decisions?

ghaff
0 replies
3h23m

I would assume that engineers, at least in the US, are far more concerned about getting fired/eased out than prosecuted if they do stupid things given that companies can do so pretty easily.

jen20
0 replies
2h53m

Look at Sarbanes-Oxley for precedent. Management has to be made liable for sufficient cultural shift to occur.

jen20
2 replies
2h54m

The root cause is not whether engineers are licensed (I'm fine with that idea, but it's not going to resolve this specific problem). Instead, it is a culture of not caring about security because the fines are a cost of doing business is, and which comes from management, and treating personal information as an asset instead of a liability.

A Sarbanes-Oxley style law that makes the CEO personally criminally responsible for breaches will be vastly more effective than pursuing individual engineers - many of whom will be on the types of visa where they have no effective route of pushback on orders anyway.

criddell
1 replies
2h39m

When a doctor is negligent, their employer is often also sued if it can be shown that it knew shenanigans were underway and did nothing.

We shouldn't choose between holding engineers or executives responsible. Each should be held responsible for their part.

jen20
0 replies
2h12m

Indeed - but we should start at the place likely to actually make a difference: the executives.

lesuorac
0 replies
4h21m

Snowflake still works though. What civil engineer has been sued because somebody jumped off their bridge? You get sued when the bridge collapses not when somebody uses it for an unintended action.

Ekaros
0 replies
5h33m

Class-action suit sounds reasonable, but sadly those never give penalties in right ballpark. Here it should be hundreds to thousands at least per affected customer.

But my guess it is few tens of cents, if that... While lawyer will get nice couple million pop...

lumb63
10 replies
6h7m

This is another consequence of the surveillance state. The same data that can be used to surveil us by the government can be stolen by who-knows-who. We’d all (mostly) be far better off, IMO, if companies didn’t retain such records.

rustcleaner
8 replies
5h35m

My wet dream would be a dump of all SMS or Meta or iMessage messages for a multiyear period for nearly 90% of users. Only when Normie Norman's private chats to his mistress and other little relationship trust disrupting secrets become uncensorably hosted on the darknet and freely searchable, only then will Normie Norman get a clue and install SimpleX/Briar/Cwtch/any other owner-free decentralized p2p chat.

dtx1
6 replies
5h21m

While I share the sentiment, Normie Norman is not at fault. Meta and other BigCorps are the perpetrators and Norman the Victim.

rustcleaner
2 replies
5h18m

True, but you have to admit once you really see Normie Norman you come to understand aristocracy.

At least I do anyway.

shrimp_emoji
1 replies
5h15m

https://dwm.suckless.org/

Because dwm is customized through editing its source code, it's pointless to make binary packages of it. This keeps its userbase small and elitist.
rustcleaner
0 replies
5h3m

Not in the way of a narcissist trying to separate himself from the group, but to see that Norman is very much susceptible to cow-like behaviors you can leverage. That's what I mean by understanding aristocracy. Aristocrat : Rancher.

robcohen
2 replies
5h18m

I have to disagree. He is a fault. Ultimately, you are the only person who really should care about your own security. When you delegate that responsibility, you are still the one who made that choice.

tsujamin
0 replies
4h21m

Having a mobile phone is necessary to securing employment, shelter and sustenance in many cases, yet somehow it’s an individuals fault for choosing to have a phone account when a pair of multibillion dollar companies breach that data through lax security practices?

doublepg23
0 replies
5h6m

I don’t think it’s fair to blame people for not understanding the subtleties of encrypted communication.

Everyone only has so much attention to give.

LinuxBender
0 replies
3m

Not unrealistic. I used to have a tail of all SMS texts running 24/7 and was required to grep for specific terms for certain agencies until they eventually had their own access. This was only SS7 based texts and was before RCS existed. I could have saved it all to my workstation but knew better than to do that. Either way SS7 is very insecure.

Jgrubb
0 replies
5h35m

Yes but have you ever asked a dev if they actually need the 8 year old logs in some bucket?

smcin
7 replies
6h1m

Ongoing fallout from the Snowflake compromise; AT&T knew on Apr 19 but only disclosed now (Why does this not fall under SOX violation with the obligation to report timely to affected parties? It has affected AT&T's stock price -3% in early trading, so shouldn't it have also required SEC disclosure?)

- Records downloaded from Snowflake cloud platform

- AT&T will notify 110 million AT&T customers

- Compromised data includes customer phone numbers, metadata (but not actual content or timestamp of calls and messages), and location-related data. Not SSNs or DOBs. Mostly during a six-month period 5/1-10/31/2022, but more recent records from 1/2/2023 for a smaller but unspecified number of customers. TechCrunch report has more details including Mandiant's response, the name and suspects location of the cybercriminal group

I wonder if Congress manages to summon TikTok-like levels of anger on regulating this one.

softwaredoug
2 replies
5h49m

Snowflake blamed the data thefts on its customers for not using multi-factor authentication to secure their Snowflake accounts, a security feature that the cloud data giant did not enforce or require its customers to use.

So AT&T put all our call information somewhere and hid it probably behind a weak password with no additional factors. IMO that's actionable negligence and I hope they get sued to oblivion.

smcin
1 replies
5h44m

I'm more stunned that AT&T knew back on Apr 19 [UPDATE: Mar 20] yet feels it had neither an SOX violation or SEC obligation (share price effect) to notify timely. Like, by Apr 22. Not three months later [UPDATE: 4 months later].

Remember the massive Yahoo 2014 hack which Yahoo management failed to notify its own users for 2 years?

If SOX violation only literally covers users' own passwords getting breached, but not 2FA or other passwords to access the same data, will Congress amend it urgently?

EDIT: apparently they're hiding behind the 3/20 disclosure [0] which is all they disclosed until [1],[2] today.

[0]: March 30, 2024 - "AT&T Addresses Recent Data Set Released on the Dark Web" https://about.att.com/story/2024/addressing-data-set-release...

"AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web; source is still being assessed...

"AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the data set appears to be from 2019 or earlier [incorrect], impacting... approx 7.6m current and 65.4m former AT&T account holders"*

"Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set.... As of today, this incident has not had a material impact on AT&T’s operations."* [but did it have a material impact on the customers/ex-customers?!]

[1]: Jul 12, 2024 - "AT&T Addresses Recent Incidents Regarding Access to Data" https://about.att.com/pages/data-incident.html

[2]: Jul 12, 2024 - "AT&T Addresses Illegal Download of Customer Data" https://about.att.com/story/2024/addressing-illegal-download...

"Based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of customers of [AT&T’s cellular and (MVNOs) using AT&T’s wireless network], as well as AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022 - October 31, 2022. The compromised data also includes records from January 2, 2023, for a very small number of customers. The records identify the telephone numbers an AT&T or MVNO cellular number interacted with during these periods. For a subset of records, one or more cell site identification number(s) associated with the interactions are also included."
smcin
0 replies
4h25m

Subsequent reporting reveals that the DOJ ordered two ~month-long "delay periods" in disclosure:

The Justice Department determined on May 9 and again on June 5 that a delay in providing public disclosure was warranted, so the company is now timely filing the report.

The company [AT&T] is working with law enforcement and believes at least one person has been apprehended, according to the filing. It does not expect the event to have a material impact on its financials.

MarketWatch: [https://www.marketwatch.com/story/at-ts-stock-slides-2-9-aft...]

amanaplanacanal
1 replies
5h34m

According to CNN:

“The company said the US Department of Justice Department determined in May and in June that a delay in public disclosure was warranted. It’s not clear why that the US government requested that data be delayed. CNN has reached out to the Justice Department for comment.”

nimbius
0 replies
5h16m

May 16 Dow Jones Industrial Average surpasses 40,000 points for the first time, before closing at 39,869.

public disclosure of a cataclysmic security breach in a darling of the stock market could have significant repercussions.

adamtaylor_13
1 replies
4h48m

It definitely included SSNs for some of them.

Source: me. My data was included in the leak and it included my SSN. It’s been a cluster fuck of a cleanup.

wredue
0 replies
4h36m

My SIN number has been leaked no less than 4 times tied to basically every standard identifying question about me now, if that helps ease your worry.

I guess the new methodology is that a company cannot be sued if they just all leak data, that way nobody knows which one is responsible for your identity theft.

akshayB
6 replies
6h2m

The real problem is that data needs to be deleted over time. There is not much of a use case for customers for go back last year and see who called them and obviously there are use cases like criminal investigations or spying. But customer has no power or ability to dictate how long their records are store and how they are used. Companies should provide tools and features to their customers empowering them with their data.

mountainb
3 replies
4h48m

Non-murder criminal offenses typically have very short statutes of limitations.

A lot of this could also be solved by encouraging the federal government to enforce federal privacy law as written more aggressively. A good incentive would be to amend the privacy statutes to permit the FTC to keep the funds extracted from settlements and penalties in-house. This would allow them to increase staffing and create a positive feedback loop to deter wrongdoing. This would have a negative effect on incumbent companies and practices, but it would not take long for the message to get across and for practices to change accordingly.

Congress tends to prefer keeping agencies on its own budgetary string which paradoxically limits what the agencies are capable of doing. The laws that we think protect us do not protect us because many of them are within the exclusive jurisdiction of a federal agency with very limited powers and funds. In the US the leadership likes to create the illusion that it has made "Bad Problem" illegal by writing it into the law, but it does not like creating the conditions in which "Bad Problem" could be solved, whether it's because the tradeoffs involved are tough to contemplate or because keeping "Bad Problem" around as a visible enemy is clever politics.

_heimdall
1 replies
4h33m

Non-murder criminal offenses typically have very short statutes of limitations.

There's a hidden assumption here. The expectation is that data retention and potential privacy violations are a necessary evil because anyone may later be under investigation for a crime. The data could go uncollected, it isn't AT&Ts job to retain private information on all of us just in case an investigator wants it.

Take telecoms out of it and consider a convenience store. Police would like to have video recordings of whatever moment in time they are investigating, but that doesn't mean the video has to be recorded and retained. A shop owner can choose to record videos and only retain them for a week if they want, or they can have cameras installed but not even recording if they're okay with just the effect of deterrence.

mountainb
0 replies
3h58m

Many civil claims have short statutes of limitation as well. It's not really that good for these companies to maintain regular business records going back to infinity that are subject to discovery in disputes that are not even related to anything the telecom company did. Complying with the discovery requests and subpoenas is expensive. The fetish for the somewhat imagined benefits of big data creates open-ended liabilities for these companies. But the pressure that law enforcement and the spy agencies put on the telecom companies to facilitate this has been an open secret for a long time now.

A lot of this is on the federal government and Congress for leaving an area in which it has power dormant and within its relatively exclusive control. Thanks for the conversation.

willmadden
0 replies
4h10m

That's another bandaid. The root cause is customer data collection mandated by outdated regulation. People should be able to digitally sign or provide a public key for their personal information without providing the raw text to 3rd parties. Various 1970's style government tax and regulatory rules need to be updated as well.

tantalor
0 replies
4h53m

This isn't data for serving user needs, this is data for spying on users

softfalcon
0 replies
3h46m

They have a financial incentive to never delete your data. Storing old data forever creates a perfect paper trail to sell to advertisers and perfect the shadow profile they keep on all of us.

I agree that deleting all your data after a year makes sense practically, but they'll never do it because it makes them too much money to keep it around.

zsdfgyn
4 replies
4h19m

Key point of the article:

"Snowflake allows its corporate customers, like tech companies and telcos, to analyze huge amounts of customer data in the cloud. It’s not clear for what reason AT&T was storing customer data in Snowflake, and the spokesperson would not say."

Finally journalists are asking the question why customer data must be stored with third party cloud providers. AT&T is a long way from Bell Labs, shame on them.

orochimaaru
3 replies
4h11m

All companies use third party cloud providers. A lot of legacy companies have been shutting down data centers to move to the cloud. So there isn’t a question of whether why your data is in the cloud. It’s going to be in the cloud.

sbarre
2 replies
3h43m

And honestly, I think I'd rather trust cloud providers with the data than the remnants of a decimated IT team in a large enterprise that's struggling to maintain their own on-prem infrastructure that's super old and probably not up to date on patches.

Andrex
1 replies
3h34m

The problem is then you have even fewer technically-competent people internally to actually manage the cloud, and combined with AWS's many documented footguns it's not clear to me the "new normal" is actually any better for security.

You go from being a potentially-small-fry target to getting your data collated in massive breaches. There's risks to both.

orochimaaru
0 replies
3h25m

That’s the thing though - this was a snowflake breach. It’s not an AT&T miss because of their decimated sw engineering teams. Snowflake has much better sw engineering than AT&T.

squeegee_scream
4 replies
3h44m

It's ok everyone! Protecting our data is one of AT&T's top priorities.

Protecting your data is one of our top priorities. We have confirmed the affected access point has been secured.

We hold ourselves to a high standard and commit to delivering the experience that you deserve. We constantly evaluate and enhance our security to address changing cybersecurity threats and work to create a secure environment for you. We invest in our network’s security using a broad array of resources including people, capital, and innovative technology advancements.

I hope there's an enormous fine for this kind of negligence

nashashmi
2 replies
3h41m

Not their fault. Snowflake was breached. And the data was with Snowflake.

jeff_tyrrill
0 replies
1h1m

Your contractor being breached means you were breached.

hobs
0 replies
36m

Snowflake was "breached" by AT&T users using the same password in Snowflake and another system that was breached.

This is just trivial pivoting done with some guesswork done fairly well.

xyst
0 replies
3h40m

The “fine” will consist of a class action lawsuit that will eventually (3-4 years later) be bargained down to 1/2 the original claim. Lawyers take their 25% (or whatever cut was negotiated) fee. Then the impacted customers (assuming they submitted all of the claim paperwork) get paid out a few dollars.

buro9
4 replies
6h4m

Including all location metadata associated to that?

smcin
3 replies
5h48m

The reports said celltower-level location data associated with calls and texts (but not datestamps). That would allow inferring their homes, job location, commute, family members, social graph.

sitkack
2 replies
5h13m

You can still recover that without timestamps. It also looks like if anyone interacted with an ATT customer or used an MVNO your data is in there too.

dylan604
1 replies
4h9m

It even said land lines had their numbers in the data if an ATT customer contacted one.

Edit: I must have read that from a different article than the TFA though.

sitkack
0 replies
1h59m

Yeah, all att customers, 2nd party participants and any other user of their network. Not just direct customers.

JohnMakin
4 replies
5h43m

So where/what is my compensation? (I know there is no recourse).

When no one is on the hook for secure practices, like enabling MFA on your effin data stores that contain massive amounts of customer PII, this is the result. Not even an apology, just report it and move on. woops! those gosh darned cyber criminals.

criddell
2 replies
4h49m

If you go to court and ask for compensation you would likely be asked to show harm. Could you?

JohnMakin
0 replies
4h32m

It really doesn’t matter. Compensation has been dispensed to customers in data breaches such as credit/ssn info, no harm proof needed. Potential for harm is enough. Breach of contract, as a customer do I have a reasonable expectation that this data is not exposed? of course I do. No one could very seriously argue it’s a zero sum.

EarthLaunch
0 replies
4h17m

Is there no harm, or is there harm that is hard to show in court?

latchkey
0 replies
3h48m

I've received checks over the years for various things like this. You end up having to fill out a claim form and then wait about 5 years and one day, you get this check in the mail for some tiny amount of money.

throwaway120724
3 replies
3h49m

There's no way to make the software perfectly safe from hackers and from social engineering. So, yes, companies should be more careful with the data and, yes, the data shouldn't be kept forever. I agree companies should be doing more to protect the data.

I see lots of outrage at the companies and why isn't the government doing more to punish them and how do I get compensated ...

But, I feel like everyone is blaming the victim. Is it the home owners fault when someone breaks in and steals stuff?

Where's the outrage at the hackers breaking into these accounts? Where's the "why aren't the governments tracking these people down?" Why is no one demanding that the hackers be brought to justice?

throwway120385
0 replies
2h49m

The problem with analogies is that they're a leaky abstraction. You're comparing a single person with maybe a handful of employees to a giant, multinational corporation with corporate offices, hundreds of thousands of employees, enough real-estate to create a small country, and billions of dollars per year in revenue. It's a false equivalence to compare this to door kicking like it was some kind of petty theft.

They literally kept everyone's information in a machine that was connected to the internet and then didn't make any effort to treat that with the gravitas it deserves. They are not the victim here, we are. It's a little shameful that you don't see that.

rightbyte
0 replies
3h41m

But, I feel like everyone is blaming the victim. Is it the home owners fault when someone breaks in and steals stuff?

Where's the outrage at the hackers breaking into these accounts?

The internet is essentially every hooligan in the world about to kick in your dooor. So yes, I blame the home owner.

It seems silly to me to condemn anonymous users of the internet.

Back in the days when nothing of importance was done on the internet the view was way more healty.

If you have sensitive data, don't expose it to the hooligans. Easy as that.

metabagel
0 replies
3h40m

There's no way to make the software perfectly safe from hackers and from social engineering.

This is a straw man argument. Companies should use best practices in order to prevent most intrusions. When they do not, as in this case, criticism is warranted.

skybrian
3 replies
3h36m

Snowflake blamed the data thefts on its customers for not using multi-factor authentication to secure their Snowflake accounts, a security feature that the cloud data giant did not enforce or require its customers to use.

And is that going to change?

dboreham
2 replies
3h30m

This is a diversion. Why did they build a system that permitted a bulk database dump of hundreds of millions of rows even with 2FA?

vel0city
0 replies
3h10m

Why did they build a system that permitted a bulk database dump of hundreds of millions of rows

Should all databases be capped at a few million rows total or something? I don't quite understand where you're going with this.

skybrian
0 replies
3h16m

Because that’s what a data warehouse is? You’d think they’d guard them more, though.

floatrock
3 replies
5h36m

In a statement, AT&T said that the stolen data contains phone numbers of both cellular and landline customers, as well as AT&T records of calls and text messages — such as who contacted who by phone or text — during a six-month period between May 1, 2022 and October 31, 2022.

AT&T customer? Prepare for phone calls / text messages from your most frequent contacts saying "I got stranded / I'm Officer Blahblahman helping your friend get home... please send gift card / venmo"

It's only metadata...

morkalork
1 replies
5h21m

I guess everyone is going to learn what Snowden was worried about the hard way now. I imagine there's going to be extortion attempts over calls to abortion clinics etc.

smcin
0 replies
5h15m

Among other things. The data's mostly from May-Oct 2022.

rustcleaner
0 replies
5h20m

I just realized this is going to fvck my call blocking strategy up: now creditors will have a bank of known good numbers to spoof into my whitelist with! :^O

stevetron
2 replies
3h41m

AT&T bought into a significant amount of DirecTV - so much so that everything that had the DirecTV logo on it was changed to the AT&T logo, such as the invoicing. So the AT&T customer base has included, for several years, the Directv customer base. The article doesn't attempt to clarify who the 'nearly all' customers are, and some people will jump to the conclusion that it is the cell phone customers. But it could include the DirecTV customer base whose data is also at risk.

vel0city
0 replies
3h11m

AT&T didn't just buy into a significant amount of DirecTV, they owned DirecTV. As in, 100% ownership. So yes, all DirecTV customers were AT&T customers, because AT&T and DirecTV were not separate entities. It wasn't until 2021 that DirecTV was spun off into a separate company again, but still with 70% ownership by AT&T.

hermitdev
0 replies
2h38m

AT&T does a lot more than just cell phones. Probably also the largest US ISP behind Comcast, I'd expect. I had AT&T fiber to the home at a previous residence, and that was a great product. Far superior to Comcast.

OutOfHere
2 replies
3h43m

Unfortunate as it is, nobody genuinely cares about:

1. Preventing data breaches

2. Properly anonymizing aggregated personally identifiable data

3. Having and using a secure ID and verification system

mv4
0 replies
3h36m

I am seeing this mentality as well, and it's disheartening. My company manufactures and sells a privacy-first, fully autonomous, on-prem, video security system for home and SMB. Yet, some people choose a cloud based service (convenient) and are surprised when their private data is either a) hacked, or b) abused by the provider's own employees (see the latest Amazon Ring settlement).

With the latest scandals and breaches though, I feel it's gradually starting to change.

gmd63
0 replies
3h39m

They don't care because they don't know how the systems they use daily work, much less the costs and risks involved.

If they knew, they would care, and that's why representatives care on their behalf.

You could say the same about health and nutrition, but people very much do care when a medical issue tangibly affects them negatively.

MOARDONGZPLZ
2 replies
4h1m

Is this leak why the spam next messages have gone from “Hi how is your day ?” or “Hi [not my name] please do thing X. Of you’re not [not my name] I’m so sorry perhaps we can be friends.” to “Hi is this [my full name]?” or “Hello [my first name] how is your day ?”

jeffwilcox
1 replies
3h43m

Any leak with your mobile and name pair could have done that. As a non-AT&T customer, I get the my-speecific-name pig butchering texts, too.

MOARDONGZPLZ
0 replies
3h8m

True. They’re brand new to me though. I’ve been getting the former for years, the latter for only weeks.

mdale
1 replies
4h46m

Interesting that they use the word criminals instead of hackers.. makes it sound like it was a physical heist rather than poor security practices on their part :)

demondemidi
0 replies
4h27m

They are criminals.

kjellsbells
1 replies
3h1m

I find it interesting that in your typical BigCo breach, they are at pains to point out that credit card details were not stolen. I infer from this that something about credit cards, and how they are secured, has real teeth and BigCo's lawyers are trying to stop them biting. Is this PCI-DSS? Maybe someone can comment.

As far as this breach goes, I think it just confirms my gut feel that Snowflake are heading to the wood chipper.

jeff_tyrrill
0 replies
56m

I think it's a desperate attempt to downplay the severity in any way plausible, taking advantage of the fact that credit card numbers and social security numbers have been mythologized in the American consciousness as nearly-mystical totems of identity and security, as part of the "identity theft" meme, even though they play little role in actual information security or privacy.

John23832
1 replies
6h16m

And, honestly, how is this info (which I WOULD want to know) meaningfully actionable to customers. We get our information stolen from a myriad of sources everyday. These companies do comparatively nothing to make things right and the burden falls on customers to pick up the pieces if you're in a tranch that is sold and used.

smcin
0 replies
5h53m

Of course it's not meaningfully actionable to customers, big time lag in not disclosing since Apr 19. (Why does this not fall under SOX violation with the obligation to report timely to affected parties? It has affected AT&T's stock price -3% in early trading, so should it have also required SEC disclosure?)

Wondering what is the significance that most of the stolen records were from the period 5/1-10/31/2022? Does it mean that AT&T enabled 2FA on more recent records, or that more recent records were on a different cloud bucket (or that they mostly stopped using Snowflake since)?

the8472
0 replies
3h55m

The headline could equally say "AT&T kept data for criminals to steal".

If wiretapping laws didn't exist then most of this data would not be justified to exist. Flat-rate billing doesn't need to keep track of this information. Even usage-based plans could keep cumulative records rather than individual ones, or at least delete them at the end of a billing period.

Where there is a trough, pigs gather.

mensetmanusman
0 replies
2h48m

Nice way to rule out who is a spy or not. Nice.

jonplackett
0 replies
4h4m

Unbelievable that they do not enforce 2FA for a client that huge. Absolute madnesss!

ilteris
0 replies
5h11m

I am an ATT user and on a pixel which generally good at filtering spam messages. I have noticed I was getting so much spam messages recently ("wanna make money working remotely for x hours a day only") I was surprised and thought my number somehow made it to one of those spam networks. This confirms my suspicions.

abduhl
0 replies
4h41m

> AT&T said it learned of the data breach on April 19, and that it was unrelated to its earlier security incident in March.

Why was this not disclosed on AT&T’s earnings call on April 24? At least someone will get compensated for the breach, although it’ll be the lawyers for the class action lawsuit that’s about to hit instead of the customers that got their information stolen.

MisterBastahrd
0 replies
3h35m

Be nice to have a new federal law: you get breached, you pay $5K plus lifetime credit monitoring to each person involved. Non-dischargeable by bankruptcy. No arbitration, no lawsuit. You pay.

BenFranklin100
0 replies
4h44m

This is a political problem. Until we pass laws that companies can be find liable for significant damages in the event of data breaches, we will see little progress on data security. This is an area where Congress needs to act. Current law does not adequately protect the public due to the difficulties in establishing standing, tying specific breaches to specific personal damages, other reasons.

Such a law would seriously impact current practices of the majority of IT firms, including small app developers, which is why we see little push from silicon valley for such changes.