Script of my radio report yesterday on the new AT&T data breach
- - -
This is the script of my national radio report yesterday on the latest
AT&T data breach. As always, some minor wording variations may have
occurred as I presented this live.
- - -
If you're getting tired of stories like this you're not alone, I am
too and it seems ridiculous that we so often have to re-live a
groundhog day scenario like this over and over again. So this time,
yeah, it's our old friends AT&T and apparently an enormous number of
AT&T wireless customer call records from a couple of years ago were
grabbed from a third party cloud provider that AT&T uses. And this
data reportedly includes both voice call and texting data, both the
originating and receiving numbers and for voice calls the duration of
the calls.
This is what we call metadata and so the contents of the calls and
texts aren't included but this kind of metadata is sensitive enough.
But WAIT, there's more! While the actual database was for AT&T
wireless customers, of course every call or text as I was just talking
about has two ends. So apparently any numbers that those AT&T wireless
customers interacted with, whether they were AT&T landlines, other
company landlines, other carriers wireless services, whatever, would
likely be included in the breach, because those records will normally
always include the numbers from both ends of the communications.
And guess what, AT&T apparently went ahead and paid a ransom of
approaching 400 thousand dollars to get the data deleted, so they made
it another attack that paid off handsomely.
Now one might ask, why is AT&T using third party services for this
sensitive customer information rather than dealing with it themselves,
because obviously AT&T has control over the security of their own
systems, not necessarily of third party services.
What's really annoying about this regarding these giant firms that are
entrusted with so much of our personal data, is that we keep seeing
these kinds of incidents over and over again and there virtually never
seem to be genuine consequences for the executives of these companies.
So there doesn't really seem to be much incentive for these execs to
spend the money and time to really secure these systems, because
they're getting away with not doing so, and only their customers end
up suffering as a result.
And it's really time for this to change. We really need to rethink the
laws regarding security breaches that can affect millions of customers
of these enormous firms. Monetary fines don't seem to impact them,
they can usually just pass those costs along to their customers. Maybe
some prison time for these executives would get their attention when
many customers are impacted and negligence can be shown. You could
have a committee of security experts who would recommend to courts in
individual cases whether this kind of penalty should be applied, or
other penalty models that would actually impact these executives and
not be so easily finessed away by them.
But the bottom line is that rather than concentrating only on the
parties carrying out these attacks, serious consideration should be
given to applying significant penalties to the persons running these
large firms in cases where reasonably foreseeable situations permit
these breaches but aren't dealt with before large numbers of customers
are negatively impacted.
It's not even as if most of these breaches are the result of novel or
dramatically new types of attacks. Mostly they seem to be garden
variety credential thefts resulting from email phishing and the like
the same sort of stuff that's been going on for many years now, even
though the technical means to largely prevent these have been known
almost as long.
It's really just a matter of getting the persons running these large
firms to decide they need to allocate as much care to security as they
do to their profit centers, and if in some cases they're just not
capable of doing this of their own volition, laws are going to need to
be implemented to encourage them to change these priorities in a
customer-positive direction, or face penalties that weren't on the
table up to now, even if that might possibly even include some time
behind bars.
Perhaps a possible path to at least consider for the benefit of
customers and for society overall.
L
- - -
--Lauren--
Lauren Weinstein
[email protected] (https://www.vortex.com/lauren)
Lauren's Blog: https://lauren.vortex.com
Mastodon: https://mastodon.laurenweinstein.org/@lauren
Founder: Network Neutrality Squad: https://www.nnsquad.org
PRIVACY Forum: https://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility
_______________________________________________
google-issues mailing list
https://lists.vortex.com/mailman/listinfo/google-issues
