On March 30, AT&T announced that Social Security numbers and passcodes for 7.6 million current users and 65.4 million former users were released in a dataset on the dark web.
In addition, full names, email addresses, mailing addresses, phone numbers, dates of birth, and AT&T account numbers were among the key pieces of information exposed in the data breach. That being said, the targeted data comes from 2019 or earlier and is not believed to include records of financial information or call history.
Those affected by the incident were directly notified by AT&T via email, which began to be released on March 30. In response, the mobile carrier company has taken the initiative of resetting customers’ passcodes and paying for credit monitoring services to enforce more stringent security measures. In the meantime, AT&T has “launched a robust investigation” alongside internal and external cybersecurity experts to begin looking further into the nature of the incident.
Business Education teacher Sara Torres elaborates on the legal affairs faced by the tech giant and the company’s degree of liability behind the cybercrime.
“I would say probably fifty fifty,” Torres said. “We’re giving them [AT&T] our information, we’re allowing access to that when we put it out there. But they have a social responsibility to keep that private, especially when they’re taking personal information from customers. They take the majority of the blame, but you could always beat yourself up for having shared that information in the first place. There’s always a risk when you put your information out there.”
The hacker responsible for the attack is known as ShiningHacker, a figure known for being behind data breaches targeting platforms such as Wattpad, Tokopedia, and Microsoft Corp.’s GitHub. According to Bleeping Computer, the hacker attempted to monetize the stolen data by offering it for sale on the RaidForums data theft forum, setting the starting price at $200,000 and establishing incremental offers of $30,000. ShiningHacker even offered to sell the data immediately for as high as $1 million, bringing attention to the severity of the cybercrime.
Since the incident, AT&T has faced at least 10 class action lawsuits alleging that the company failed to adequately protect customers’ personal data, leading to the cyberattack and data breach that exposed the personal information of 73 million customers. The lawsuits also accuse the tech giant of negligence and breach of implied contract, seeking compensatory damages and improvements to AT&T’s data security protocols.
Business Education teacher Kara Mielke shares the lack of initiative by major tech companies to take the steps needed to protect their customers’ private information.
“At the end of the day, I can’t imagine that big companies are truly taking action,” Mielke said. “Every day hackers are just getting better and better and they’re ahead of the big companies when it comes to security. Big companies are worried about their dollar as opposed to the protection of their customers.”
When it comes to data breaches however, despite the large share of fault burdened by tech companies such as AT&T, there are also measurable steps consumers can take to ensure their private information is kept safe from malicious intent.
“Most people in the last five years have had an instance where their data was potentially breached,” Mielke said. “It’s something that we face in today’s society. The consumer needs to be smarter and needs to know how to catch things like identity theft before they happen so in the event that their data is breached, they can protect themselves early.”
Since the legal proceedings began, AT&T has strongly disputed the allegations brought against them, claiming that the leaked data samples didn’t belong to them. The company also attempted to claim that the leaked data did not originate from its sources and that there were no visible signs that its systems had been compromised to any extent. That being said, in an effort to acknowledge the situation, the company has begun to offer identity theft and credit monitoring to those affected, and has taken the initiative of resetting millions of passcodes.
Nevertheless, the firm’s initial denials about the origin and authenticity of the leaked data and its failure to determine the origin through investigations have exposed customers to a higher risk of scams and phishing attacks for at least the next three years. Until then, customers’ personal data will continue to linger in criminal hands without their knowledge.