Just checked my e-mail and the AT&T notification was there that my password was compromised and they had reset it.
After reading all the news articles and reports about this breach here are some highlights: -The breach involves data from 2019 and earlier, and contains information on 7.6 million current and 65.4 million former customers. -The data includes customer's social security numbers, full names, email and mailing addresses, phone numbers, and dates of birth, as well as AT&T account numbers and passcodes. The social security numbers and passcodes are unencrypted, so the encryption key was either stolen or cracked. -The data breach is not recent but occurred a few years ago. In August 2021, a small sample of the records were posted and a hacking group was asking money for the rest. The whole set of data has now been dumped on the net. That means sensitive information of 73 million At&t's customers has been floating around since 2021. -In 2021 At&t had denied that any of its systems were compromised. They are still denying that any of their systems were or are compromised.... This is absurd, because it means that someone can obtain At&t customer's sensitive data without actually having to break into At&t systems first!
'Nearly all' AT&T customers' data stolen in huge breach CANDACE HATHAWAY July12, 2024 https://www.theblaze.com/news/nearly-all-att-customers-data-stolen-in-huge-breach
Well since these big tech and communication outfits are ever so generous anymore, inform them we can throw in our socks & dirty under garments as well as other laundry too. Why not? They free giveaway your info and timeline habits then call it a breach/hack.
Even if this data was not stolen and was 'safely' retained, this is personal information that these companies and organizations should never be allowed access to, in the first place. This massive data release will have an impact on millions of people in terms of their privacy and security, now and going into the future (for many, their whole lives) and can't be undone by changing passwords. We have vital aspects of our life snatched away, by force, stealth and propagated practices by entities (private or governmental) that have never had our best interest as a primary precept and things need to change. I hope that we will see some accountability and justice in these matters. Our expectations have been manipulated (by the usual methods of 'carrot and stick'), that this level of invasive intrusion, is somehow, normal. I hope that class actions occur in situations like this and there are legislative changes and this is not swept under the carpet, shrugged off or ignored. As part of a governmental, judicial or class action true impact assessments should be made and a stop be put to this now and not some time in the distant future.. Financial compensation is not enough in these cases.
The real question is who gave AT&T permission to store such sensitive data like the cell sites IDs associated with a customer's phone number for over two years? So when a customer is driving for example, and their phone switches from one cell tower to the next, AT&T logs and retains this data for multiple years! Why? Anybody with access to this data can easily tell where the said customer was two years ago, which route they took from home to work, and where else they traveled to! And imagine that people are concerned about ad tracking companies tracking their online browsing habits, when this nonsense is going on!
Unfortunately as part of their ELUA, they make every customer agree to the following: "We keep your information as long as we need it for business, tax or legal purposes." This applies even if you are no longer their current customer. This is the new current agreement that they have for the last many years. Their older EULA used to say that they will keep user information for 7 years. Apparently it is legal for a private company in US to retain customer data for however long they want, as long as they get the customer's consent beforehand.
I agree with you 100%. Unfortunately, the way the law is written, all they will ever get is a few million dollars fine, which is just pocket change for a company as huge as AT&T. Then its back to business as usual for them.
Same in EU for i.e. banks. What citizen in EU can order by separate formal notice is to stop data processing by them. After this forma consent withdrawal bank can still store data for legal purposes.
I can understand if companies keep some data about their customers for business needs. For example, if the customer leaves them and in future wants to come back, they can pull up this customer's record to decide whether they want the customer back or not. But what I don't understand is the sort of data that AT&T was collecting, like cell tower IDs associated with the customer with time stamps, for over 2 years! Basically telling them exactly where the customer was and in which direction they were traveling, and which places they were visiting. Why they would want to retain this kind of sensitive data is beyond me. Unless they planned to sell this information to Government entities or advertisers in the future.
Well, in a country where I live CSPs have legal duty to collect that data for every prepaid cell phone call. I don't know if US requires it as well. It may also be helpful to collect that data for technical reasons. It may help with planning upgrades to the radio and antennat infrastructure, configuring the network i.e. optomizing handovers between RBSes etc thought it could be anonymized
As far as the U.S. goes, this article is informative: https://www.vice.com/en/article/how-fbi-gets-phone-data-att-tmobile-verizon/ .
I am really surprised that with all the EU's privacy laws, they would allow private for-profit companies to collect and retain such sensitive data. What is stopping these companies from monetizing this data? Thanks for the excellent article. This explains why At&t retains such data. They can make extra money by selling it to FBI and other law enforcement agencies!
They are not only allowed but required. It is legal obligation. Telco companies face penalties if they don't collect and store data. One thing that is better in EU that retention period is specified so we can't have telco company storing location data for 7 years or so. When it comes to location privacy... until SS7 is in widespreas usage there is no such thing for people carrying powered on cell phone.
