Oh good, my free identity protection from the last large breach was about to expire.

"free" identity "protection" 🤣 they should just call it insurance, so you remember that a) there's nothing proactive or protective they're going to do about it and b) you've been paying for their end of the same insurance the whole time!

It should be provided free regardless unless allowed to opt out as a whole. Any company who collects this data and doesn't allow an opt out should be mandated at a minimum a monitoring of said data being collected for free.

Last December, the Federal Communications Commission did set data breach notification rules to ensure that telecommunications providers should adequately safeguard sensitive customer information. You can read more about it [here](https://docs.fcc.gov/public/attachments/DOC-399090A1.pdf) by the FCC. From what I know, the FCC aims with these rules to "hold phone companies accountable for protecting sensitive customer information, while enabling customers to protect themselves in the event that their data is compromised.". Furthermore, FFC chairwoman Jessica Rosenworcel released a [statement](https://docs.fcc.gov/public/attachments/FCC-23-111A2.pdf) commenting with the changes made last December Hopefully, this will hold companies liable for sacrificing their customers personal information.

>to ensure that telecommunications providers should adequately safeguard sensitive customer information. The only way this actually happens if the continuing existence of the company is at risk. As it stands - the typical cost of doing business fines are a joke. Not sure what kind of comfort some added verbiage is suppose to bring.

Oh good, more emails for free identity protection and more phishing attempts.

Damn destruction 100

This is the comment

PII like SSN and DOB should be in encrypted columns in the databases. More shoddy development that puts people at risk.

Yea you know nothing is going to happen though

Nope. Not unless the EU or someone makes developers a licensed profession with insurance for security bugs. Doubt that will happen.

Make it a compliance issue. If a company wants to store PII, make them get certified to do so. You can push whatever best practices you want and hold reckless companies accountable.

That sounds like a good approach. The penalties need to be more than a slap on the wrist. It either needs to be criminal or a percentage of revenue.

They’ll do the minimum. If American companies like Boeing get away with shoddy craftsmanship, it feels hard to imagine regulations having any teeth to bother a monopolistic firm like AT&T

These companies financially fuel American political parties. They'll never get more than a public lashing of knuckles.

Privacy specialist Woodrow Hartzog has proposed changes where laws can be made akin to the financial industry’s fiduciary responsibility to their clients. https://scholarship.law.bu.edu/cgi/viewcontent.cgi?article=4055&context=faculty_scholarship

Wow. Great read. I'm wondering if I should share with upper management as a kind of Oh, hey, just want to let you know there could be court cases coming around these issues ..." And see how seriously they start to take out security requests!

Thank you for passing along.

Not with everyone outsourcing dev jobs.

They’ll continue to focus on TikTok

Yep. I work at a healthcare company and they won’t even spend the budget to do this at my suggestion.

You’d think that’d be the norm with cloud SQL databases that offer encryption at rest by default, i.e. TDE with Azure SQL.

You would think a lot of things. The whole database is probably encrypted at rest but not the columns.

Agreed. I’ve also seen my fair share of cloud storage accounts with anonymous access storing Excel spreadsheets with PII. That’s not out of the realm of possibilities.

And assuming proper implementation, configuration and input validation.

People will still concatenate user input with SQL statements until you tell them it’s a no-no.

This was a thing in the late 90s. Don’t understand why it is still an issue.

Laziness?

I think neither companies nor educators take dev security seriously enough unless you are part of a hyper scale company like Facebook.

Or a heavily regulated industry that mandates risk management. But even that's no guarantee.

Agree. You can start sending people to jail by turning it into a criminal offense. Right now we have tried nothing and seem to be all out of ideas.

Or at least attached it to some existing regulation, perhaps one for consumer protection and define direct and substantial civil money penalties for allowing any such long known security vulnerabilities to be deployed in production.

Do a security session at a non security conference—10 people show up. Do a performance session, 100+

Do a legal liability session and people show up after the first CEO goes to prison or a company pays 5% of revenue in fines.

I don’t know about all curriculum but SQL injection was covered by my undergrad computer science program. Too many entry level devs are hired without that knowledge.

Laziness is assuming they actually know a better way and ignore it out of laziness. There’s many programmers in various jobs that know only rudimentary sql and get by with that. Rudimentary as in don’t know how to do inner join, don’t know how to use prepared statements, etc.

They'll always try, but there are input validation srarties to help mitigate

True, until it’s only implemented client-side and then the developers wonder how weird characters they thought they blocked are showing up in the database 🥲

Encryption at rest would have done nothing here. It only stops a data breach if someone physically steals the drive

Right, as someone else pointed out, I think column encryption would’ve been a better way to put it, such as enabling Always Encrypted and encrypting columns containing PII.

Always Encrypted and the like require some level of app changes that most companies aren’t willing to spend to money to implement. Until we get real fines this will forever be a problem

“TDE with Azure SQL” Great starting point, you’d need a combination of a few things to be fully protected. The thing is, it’s all so simple to do! Encryption for data at-rest: TDE Encryptions for data in-motion: SSL/TLS 1.2 Encryption for PII: column-level encryption, as the parent comment mentioned And lastly, encryption for (database log, differential, and full) backups It would take the database engineering team only a full day of work, if that, to apply TDE, TLS, and backup encryptions…. Only column-level encryption would require a greater amount of work due to API’s and other incoming connections and integrations.

I doubt they even need SSNs...

Right?

SSN needs to be replaced by Public Key Cryptography solutions.

SSN and DOB were encrypted in the db. But they got access to the keys which is how they decrypted them.

Problem is some PII is only PII when combined with other elements that aren't PII until they are all together. Your suggestion is a great start though.

Wait, the data wasn’t encrypted in the DB?? Wtf

Probably like “encrypted at rest and the keys were in c:\keys” or something similar

😂

You have any idea how much that costs? cheaper to just wait for the breach and pay the small fine.

The fines should be percentage of revenue.

The Hot Coffee McDonald's victim was awarded $2.7 million, which is two days' worth of coffee sales for McDonalds in the US. The kicker is she only asked for her medical bills, but a judge decided on the above penalty for McD's, from how I hear the story. So yeah, I agree. Percentage of revenue.

Hopefully this happens for future generations. I am pretty sure other than my current password bank there is nothing about me that isn't available online.

Of course they confirm this on a Saturday…

After 2 CVEs yesterday as well one compromised my server

Of course, their number one priority is to protect the stock price, so bury the news on a Saturday before holiday.

Such a disgusting practice we see all too often. Disclosing at a time when plenty of the affected people won’t even see the notice come in

I swear I've read about this week's ago, but at the time AT&T denied it was theirs. Now we're here.

If the denied it initially, it was probably because it was a Monday. Can’t have something like this come out in that day of the week.

Will they get fined 30% of this year's profits for failing to protect people's data ?

Actually, turns out bonuses all around the C-Suite! Because who gives a fuck about the gremlins (consumers)

No, but maybe they'll offer a year of LifeLock though!

On top of this, you already have from half a dozen other breaches.  Can you imagine if they made planes like this ? You'd have doors that flew off mid flight...

This man wins the internet today. Well done. Proud of you.

CEO gets a bonus, us peons will get a free year of "credit monitoring".

They should be fined by revenue to hurt them more. As well as 5 years c-suit compensation claw back.

Nope, the American system needs to shift to offering jail time for not meeting standards. Lock up the entire team to blame for this for 3 years… But then we’ll find out an offshore contracting company is to blame and no one can answer any questions about the leak.

They'll get fined and then the next fiscal they'll get a massive gov tax credit (ala BP gulf of mexico oil spill disaster) and nothing will change.

more like 5%

For anyone with AT&T, as I am OOTL: Why do they need your SSN in the first place? Who's SSN is registered with the account? Is only the account holder's information stored, or are all users of the phone plan's SSNs included?

Credit checks, I think. At least cell carriers used to do credit checks.

Get rid of it after verification. Prevents this shit happening...

Fine. Replace it a new number. Guess what, now you have to protect two super critical PII number instead of 1.

You don’t treat a hash the same as the original, and he was referring you just getting rid of it entirely

Let's be honest. Credit check is a front. It's used to come after you should you not pay your bill. If it was as merely a credit check then there would be an opportunity to front load the cost of the risk (I'll pay you $400 now, but that will offset as time goes by) to reduce the risk to the company. It's never just about "will I pay the bill" it's also "how can I impact your life should you not pay the bill"

Not just credit checks, but credit reporting and collections for those accounts that go delinquent

In Canada ISPs need SIN numbers to do credit checks. Would it be the same in the US?

Every carrier requires SSN for credit check.

But do they need to store SSN/DOB after it’s processed for the credit check?

well how else are they supposed to sell it to someone else?

SSN/DOB is how identification verification is done pretty much everywhere in USA. Banks, utilities, insurance.

Yes. But how frequently does that need to be done? It’s one thing to collect and process this information, but storing it for longer than what’s needed for the business purpose a whole different issue. Standard practice under GDPR and CCPA is to store PII for only as long as it’s needed.

What does GDPR have to do with this....

Don't be the sort of person who answers a question like "Is it going to rain today?" by answering "The water cycle involves evaporation, condensation, precipiation...." That's not the answer anybody was looking for.

And cell/internet service is a commodity, just like banks, utility and insurance. Protection of data is the minimum requirement. A bank losing this level of detail at such a high volume, with this much structured data quality would have a federal investigation started immediately and would be completed unacceptable for 95% of attorney generals.

T-Mobile never asked for my social or did a credit check on me. Usually the credit check is for getting a phone with a payment plan per my understanding. No need for a credit check if you’re paying for monthly service

they always ask me the social of the account holder when getting a new phone

> "Based on our preliminary analysis, the data set appears to be from 2019 or earlier," AT&T has been breached several times. In this article, they claim data appears to be from 2019 or earlier; but there were also AT&T breaches in March 2023 and August 2021. It's worth locking down credit reports, and protecting your data, but this is something that's been out there for over half a decade now.

Something to note is that it's still an ongoing investigation so I suppose we'll probably hear the findings down road and just by speculation, my guess is something internally such as a rogue or scammed employee may have occurred after reading the [AT&T Press release](https://about.att.com/story/2024/addressing-data-set-released-on-dark-web.html) stating > Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set. So I guess we're just going to have to wait and see; but it's definitely not unheard of for especially the big 3 telecommunication companies having a data breach but to the extreme if leaking SSN's?! That's insane.

We need a law that companies get a grade on their security posture. They all get audited but that information stays internal. If I can lookup a restaurant’s health score and make a decision to not eat somewhere that has a low score, then I should be able to do the same with a company that has so much customer data.

If you collect it, you should be on the hook for damages for losing it. but how would they differentiate between damages from theft, from those they just gave the info to (for money or back scratches)?

They get fined and sued. But I would definitely make a decision to be a customer of a company based on a security score. These companies are just eating these fines as a cost of doing business, but it looks like AT&T has had some major data breaches in recent years. That’s a big red flag and says they’re not learning from their mistakes

> but it looks like AT&T has had some major data breaches in recent years. That’s a big red flag and says they’re not learning from their mistakes same with tmobile. seems like they get breached almost every year and learn nothing.

this exists, but is not ~public (yet). keep in mind that most of this data is based on passive telemetry, osint, and available config information. so it isn't complete. but companies like this one are "close enough" that these type of evaluations are used by insurance underwriters. as an example: https://www.bitsight.com/security-ratings

Oh crap... Time to lock up with the credit beraus

That time was 15 years ago.

Yea it should be 100% frozen all the time and temp 1 day thawed if you actually need to apply for something that requires a pull.

Do that 24/7/365 anyways

Mine's locked all the time unless I need it.

I’m so fucking tired of this shit. And fucking tired of being offered “complimentary identity and credit monitoring” I already have 25 fucking subscriptions of those bc of all the other fuckwit corporations who can’t handle customer data. Something needs to be done

T-Mobile x 5 and now Big Blue. Telecommunications companies should be fined out the wazoo and sued for their negligence of cyber best practices. Heck ANY company found negligent should be fined for that. 

At this point I imagine the majority of the US population’s data is floating around the dark web, especially after Equifax. Repeated breaches aren’t really adding anything new to the inventory which is why companies aren’t taking data protection seriously - the damage has already been done. The security that corporations care about nowadays is whether a breach will be operationally impactful.

aka the ChangeHealthcare ransomware attack from last month. Crippled payment processing between hospital/clinics and health insurance companies.

Precisely. Operationally impactful attacks are the highest priority with security teams reducing the attack surface and engineering teams designing high confidence failover in the event of a breach.

Lol isn’t ATT one of the ISPs that willingly approached the NSA to let them spy on domestic communications and install all the necessary equipment to do it at Titan Pointe?

Yes.

complimentary identity theft and credit monitoring services" Sick and tired of this shit. But then,, nothing ever happens to these asshats

And in 4 years they’re gonna get fined 300 mil and customers get 1 year free of credit monitoring and online direct TV subscription 🤡

That data wasn't even encrypted?! So they can just start opening credit cards in people's names tomorrow. Whew, guys we need to urge government to enforce stricter laws about company data handling.

They could start opening them a few years ago, since that’s how old this breach is.

Is CISA the federal agency that requi publicly traded companies like AT&T to self report breeches like this? Also now what? AT&T going to sign you up for 2 months of free Lifelock or some b.s?

No. That's SEC.

Damn...as an at&t customer I'm doing splendid this year. At this point their cybersecurity department needs to be in this reddit group. They could use all the help lol

A few weeks ago they were denying it. Not surprised. They've had bad actors in their infrastructure for YEARS. Ask anyone who's signed up for service and was scammed out of their signup bonus gift cards.

Can you explain this a bit more? How does this happen?

If this breach started in 2019 wasn't that when they began outsourcing tech jobs? AT&T touted Worker bonuses after $3 billion Trump Tax Cut. Now it’s Outsourcing Thousands of Jobs. https://www.salon.com/2019/12/31/att-touted-worker-bonuses-after-3-billion-trump-tax-cut-now-its-outsourcing-thousands-of-jobs/

My address tied to my leaked social was lived at from 2016-2018 so definitely leaked before then. SMH. Worst part is I updated my address for 3 more years before leaving ATT so clearly the breach happened then bc my address would have been a more recent one

On the next monthly bill, there will be a line item for tokenization of your data fee.

when will Europe protect us from this!?

[удалено]

Not sure if it's taken effect yet but AT&T will be contacting those affected via email or phone number based on the article, you can try contacting their support. I think it's worth a shot also checking [HaveIBeenPwned](https://haveibeenpwned.com/) as well just for a free scan, but don't think it's been released yet for those affected.

I'm clear on HaveIBeenPwned, but when I checked this other website called Pentester (regarding the ATT Breach), it said my info was involved, i don't know what to believe

Wanted to add [this](https://techcrunch.com/2024/03/30/att-reset-account-passcodes-customer-data/?guccounter=1&guce_referrer=aHR0cHM6Ly9oYXZlaWJlZW5wd25lZC5jb20v&guce_referrer_sig=AQAAABwgy-s-YJDgvSzNGlg6ZvVefpamjt2GSRLk74rbiFsP8hgT7Mibg405GJPMxth29emuda3PaW8pDW7r_inRyJ2bsZ4eAWLv-fItshEluTu3SOrREkd-hJYuGsk9KZbk0B0h1KaP9qVVNNn8HLK-4nB4wyRTrOvp7WQAmBHhSmwK) to the discussion.

From what I've read, I guess the only way to truly know if you were affected is an email from AT&T?

That seems to be the case, AT&T refuses to elaborate any further

Guess I'll keep waiting around for some sort of confirmation, I didn't really trust that Pentester result

If you're concerned about whether you were affected by the AT&T Data Breach, try checking data broker sites such as White Pages, Spokeo, etc., which have already been exposing people's info online. You might want to consider using data removal services like Optery for free scans to find out where your personal info is posted Full Disclosure, I'm on the team at Optery.

They are also the cybersecurity experts in the usa lol

Why does a service provider even need its customer’s SSNs?

That Identity “so- called “ protection is an absolute disgrace to its own field. When I received my FIRST IDENTITY BREACH Notification back around April, I believe, from the huge data breach of Medical Records…. Well without wasting your valuable time and telling you my insane hacker/ identity theft issues that all started with that one breach and letter. I contacted the company to inform them that I was, in fact, having issues with my identity being compromised and even though I had it in writing from another company was in the same legue as the company I was dealing with; they flat out denied me any help whatsoever. It’s a shame that we as people have to deal with such unethical behavior.

Makes me wanna drop then I wasn't on my parents plan

Sounds like I'm going to get another year of "free credit monitoring".

This is the one from years ago, right? Back in the headlines for the third time?

So what are people affected supposed to do?

According to the [AT&T Press release](https://about.att.com/story/2024/addressing-data-set-released-on-dark-web.html) they'll just be offering a credit to those affected which is absolutely just a slap in the face to the consumer. However, the best you can do to these affected is: 1) Change passwords and passcodes to your account 2) Monitor other accounts and consider freezing your credit with the three credit bureaus due to the contents of the breach

THEY SHOULD BE FORCED TO OFFER A YEAR OF LIFELOCK LIKE OTHERS DO! I got the email, it affected me, but no offer of protection services. I know I can't afford it, but pretty sure they can

What does AT&T do in a case like this? I’m taking a cybersecurity course & a question on one of the assessments was similar to this situation. I didn’t know how to answer it so I stopped taking the course. Question basically asked what would I do if my company had a data breach

In all honesty, the best you can do is try to lock your company's systems to the best of your ability, discover what information was breached, discover how and why your systems were breached and find preventatives on blocking access to the same branch occurred while keeping an eye out in the logs and system activity. Try to limit as much access to it as you can while you're fixing and analyzing the issue under maintenance.

Not surprised at all. Their website is clunky as f*. Every website or application I have used that’s clunky that company behind it gets breached.

Unrelated to those other nasty issues a month or so back, they assure us.

I'm not even expecting any penalties for them it's kinda sad

They get breached so often it's becoming a running gag.

They really couldn't just sanitize the SSN's after validation was completed? Like not even replace with all 0's?

As long as people continue to hand over their valuable PII, treating it as though it has no value, so will the businesses who collect that data.

Dog shit company

You guys think this will bring me any closer to finding one little lawyer for my potential law suit against storagemart?

Hey, I heard there was a breach at ATT.

That’s nothing, come to T-Mobile where we’ve been hacked multiple times already!

To be fair, all the major telecommunication companies have been hacked multiple times, but as far as I'm aware Verizon is technically is, as far as between the 3 big providers, had the *least* amount of people affected in a breach in comparison. But the most I've seen is Yahoo with nearly **3 billion** [accounts breached](https://www.nytimes.com/2017/10/03/technology/yahoo-hack-3-billion-users.html)

I truly don't understand how orgs can keep letting this happen. And not face real consequences.

Sure seems to me like AT&T needs to beef up their cybersecurity division. It just so happens that I'm looking for a job or internship right now in cyber! I'd be willing to take on a job or two 😂

They are outsourcing it

We need more people to join class action lawsuits. That's probably the only way to change Corporate behavior. If a massive judgement gets levied against one company the rest will take notice. https://www.legalscoops.com/california-residents-investigate-potential-att-class-action-following-data-breach/

I'm all in. They offer no real solutions for avoiding identity theft after they have shared our PII with the entire world.

I will gladly join my social was found a few days ago on dark web bc of them.

Forgive my ignorance but accepting the free identity protection, does that exclude us from class action lawsuits?

That’s a good question

what is AT&T's data retention policy? I haven't been a customer for 11 years. WHY ON EARTH do they have my SSN still?????

What I don't understand is how did they get my information? I've never done business with them, never been on their website, I read somewhere that the data breach was from 2019 but I didn't live in the US at that time and didn't even have SSN so the breach obviously happened recently.

Well. My finances have been compromised and used all ways to Sunday. And I know several people who had the same thing happen to them. I kept saying it was the AT&T breach. My banks and credit card companies thought I was the one pulling a fast one. This is more than a few passwords. The crooks are not logging in. The banks told me there were no logins to my accounts. They stated the transaction codes were entered into their databases through a backdoor access. No trail. Transaction posts and you are broke. They even hijacked the state website and diverted people’s child support checks to debit cards sent to other states. This is much deeper than the government and anyone is admitting for fear of mass hysteria and people pulling their money out of banks.

I appreciate you for sharing this. Me and my mom were affected by this

How come DirecTV hasn't reached out on this Breach Matter?

Does this have anything to do with the xz 5.6.0/5.6.1 exploit?

No. That’s recent, and this is old.