Todd and my upcoming book stress the point no matter how safe you make your computer and your personal practices someone else may drop the ball and expose you to cyber-harm. We provide examples of this in our book but there is nothing like current events to drive home this point.

On Friday, June 12, 2024, AT&T Corp. disclosed that a new data breach had exposed phone call and text message records for roughly 110 million people, reportedly nearly all of its customers. The interesting thing about this breach is it did not occur in June or even May. AT&T’s Security and Exchange Commission (SEC) filing reflects:

On April 19, 2024, AT&T Inc. (“AT&T”) learned that a threat actor claimed to have unlawfully accessed and copied AT&T call logs. AT&T immediately activated its incident response process to investigate and retained external cybersecurity experts to assist. Based on its investigation, AT&T believes that threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023.

One might take exception to AT&T taking almost three months to report this breach but occurring to the same filing on May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined a delay in providing public disclosure was warranted.

Per the SEC filing, “AT&T does not believe that the data is publicly available.” AT&T may have this belief as it being reported by Wired that AT&T paid a member of the hacking team more than $300,000 to delete the data and provide a video demonstrating proof of deletion.

I don’t take much comfort in a hacker’s promise that somehow stolen data isn’t still out there in some manner. I frankly am uneasy about this promise as one of the major AT&T consumers, which I don’t believe is being reported much, is the United States government. AT&T provides cell phone services to major federal agencies in at least Ohio, such as the U.S. Courts and the U.S. Attorney’s Office. The paid extortion fee seems somewhat small in comparison to the potential data’s value to those who might want to know more about calls made by federal personnel.

Another point our upcoming book stresses is that the odds are pretty good that individuals will face cybercrime attempts/acts multiple times throughout their lives. From a personal perspective I am likely going to get a victim notification sometime in the future as I am an AT&T consumer. This unfortunately will not be my first notification, nor do I fear the last. Our book also stresses that such company notifications are not immediate, and we need to be constantly tuned into to media and other sources for warnings about such breaches.

Our book covers basic cyber protection measures in detail. But as we note having protection in place is not enough. As our book title implies, cyber survival is much better. It recognizes that there is danger or harm but has a connotation that goes beyond safety or protection to overcoming those attacks. We address what do when one knows they have been attacked. Look to this blog in the coming weeks for some tips and our upcoming book for details on being a cyber-survivor.