A few days ago, someone broke into an AT&T system and stole the call and text records for all AT&T subscribers– some 100 million or more people. Today AT&T sent an email to me, and presumably to the other 100 million people, admitting to the incident. As I read it, I couldn’t help but “translate” in my head what they said.
What happened?
We found out AT&T call and text records were accessed by cyber-criminals who have claimed responsibility for unlawful access to other companies in the past. At least one individual has since been arrested.
Translation: even though these folks have attacked other similar systems in the past, we didn’t bother to learn from those companies’ mistakes and secure our own systems against the same attack. Oh, and the bad guy was arrested! (Which we had absolutely nothing to do with.)
What is AT&T doing?
Protecting customer data is a top priority.
Translation: making money is actually the top priority, but protecting customer data is definitely one of our top priorities. At least in the top ten. Or maybe top twenty. It’s hard to say for sure, because that kind of stuff costs money, and spending money takes away from our top priority.
We hold ourselves to high privacy standards and are always looking for ways to improve our security practices.
Translation: we’re not really going to do anything about this, except tell you we’re “looking for ways” to make it better. Oh, and we’re not going to compensate you in any way for screwing up.
This kind of stuff happens all the time these days. Companies can’t be bothered to spend the money to properly secure their customers’ data, and then when someone (inevitably) breaks in and steals it, there are no repercussions. They issue a boilerplate apology and move on. There are no penalties, no requirements for them to do better, and frankly no incentive for them to actually effect change.
Although this particular incident isn’t terribly damaging to me, the data could be used by malicious parties to do some real damage. It’s only metadata, not content, but it would be a treasure trove for abusive or dangerous stalkers, ex-spouses, and the like. There are real-world consequences for people. But, as we see yet again, not for the corporations.
Harumph.