Business
Column: Why hugely profitable corporations won't spend enough to keep hackers from stealing your private info
AT&T is one of America’s largest telecommunications companies. Last year it recorded a pretax profit of nearly $20 billion on $122.4 billion in revenue.
So why, you might ask, has AT&T been so pathetically sloppy about protecting its customers’ private information that the data of nearly all those customers — 110 million users — ended up in the hands of a “financially motivated” hacker group?
The breach was revealed on July 12, although it mostly occurred in 2022; AT&T attributed the reporting delay to requests from federal authorities to keep it under wraps while they investigated its national security significance.
Protecting your data is one of our top priorities.
— AT&T, after disclosing that personal data of as many as 110 million customers was stolen by hackers
This breach, cybersecurity experts say, is especially alarming because of the nature of the stolen data. It’s not merely financial data such as bank account or Social Security numbers that might enable hackers to raid a victim’s bank account or engage in identity theft to open new accounts.
In this case, it included information about what numbers were called by hacked users and the numbers that called them; the length of calls, and location data — where you might have been when making or receiving a call. The data the hackers snarfed up came from May through October 2022 and Jan. 2, 2023.
“Telecom providers hold some of the most sensitive information on consumers — a map of their daily lives — where they are, who they’re talking with, their social graph, everything,” says cybersecurity professional Brian Krebs.
The latest disclosure of a hack at AT&T might be considered a signpost for “the year of the megabreach.”
It follows AT&T’s announcement in April of an earlier, unrelated breach that may have compromised the Social Security numbers, PINs, email and mailing addresses, phone numbers, dates of birth and AT&T account numbers of 73 million current and former AT&T customers.
Both AT&T incidents pale in comparison with a massive data breach earlier this year at UnitedHealth Group, the nation’s biggest health insurance and health provider conglomerate. According to congressional testimony by UnitedHealth Chief Executive Andrew Witty and company news releases, a ransomware attack on the company’s Change Healthcare subsidiary has affected as many as 1 in 3 Americans.
Change Healthcare manages patient payments and reimbursements to medical providers. The ransomware hack crippled medical services nationwide and resulted in the exposure of patients’ treatment details and billing information, including credit card numbers. Patients reported that pharmacies were refusing to fill prescriptions because they couldn’t access insurance approvals, risking the patients’ health.
UnitedHealth said it paid a $22-million ransom in bitcoin, but couldn’t be sure that all the hacked information was returned. It also said that it advanced about $9 billion to providers to cover their expenses before their billing could be restored.
The company told Congress that it already had in place “a robust information security program with over 1,300 people and approximately $300 million in annual investment,” but of course those figures are meaningless — the question is how much it would cost to actually have a “robust” program in place, since $300 million obviously isn’t enough.
The breach occurred, according to testimony and statements by the company, because UnitedHealth tried to integrate Change Healthcare’s technology system with its own without first ensuring that Change’s system would require multifactor authentication, a basic security feature that requires users to enter an algorithmically generated code along with their password to gain access to a system or account.
The hackers breached “a legacy Change Healthcare server” that didn’t meet the parent company’s standards, the company said — but it used the noncompliant equipment anyway.
Data breaches affecting hundreds of thousands or millions of consumers have become such familiar features of the consumer landscape that the guilty companies respond with a standard playbook replete with promises to customers.
They point out all the data that wasn’t compromised — AT&T told customers that the latest debacle didn’t involve “the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information.” That’s a bit like airlines following up reports of deadly crashes by pointing out how many planes land and take off safely every day.
The companies typically offer aggrieved customers free credit monitoring and identity theft protection for a period of time; at UnitedHealth, that period is two years.
Whether those services are useful is open to question — after a 2017 data breach at the credit reporting firm Equifax exposed the personal data of 143 million Americans, the identity theft service LifeLock trumpeted its protective services (at $29.99 a month). What LifeLock didn’t make very clear was that the services it was selling were actually provided byEquifax.
The breached companies also attest to their determination to get to the bottom of the hacks, and to their commitment to customer security. AT&T’s recent breach disclosure included this pledge: “Protecting your data is one of our top priorities.”
If there were a trophy for flagrant lying in marketing materials, this would be a strong contender. Under the circumstances, it’s either blatantly untrue or reflects a critical flaw in the company’s fulfillment of its priorities. I asked AT&T what steps it has taken to discipline or remove any executives charged with fulfilling such a crucial priority, up to and including the CEO. AT&T didn’t respond directly to this or other questions I submitted, but referred me to its news release and a customer Q&A on the topic.
AT&T says the breach occurred in a company connection to a third-party cloud data service called Snowflake, to which it had entrusted its customer data. As it happens, some 165 of Snowflake’s corporate clients may also have been targeted by the hackers who struck AT&T. An ongoing investigation by cybersecurity experts suggests, however, that the fault isn’t Snowflake’s — it’s the fault of those clients, who didn’t observe best security practices.
That points to several issues that contributed to AT&T’s breach — and similar breaches around the corporate world. One is why AT&T is hoarding so much information about its users in the first place.
“To have years of call histories, text message histories and location data makes you a massive target for hackers,” says Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, a New York nonprofit.
“Why does AT&T keep so much information on so many users?” Cahn asks. “They have a perverse incentive to hold on to as much of our data as possible, to think about new ways to mine it for value. When they do that, we’re the ones put at risk.”
In any event, if AT&T is going to store data this sensitive, he says, it needs to employ more rigorous safeguards to protect it.
Yet in corporate America, cybersecurity has been an afterthought, if it receives any thought at all. “These companies at some point decide that it’s really expensive to care a lot more about security when there really aren’t a lot of consequences for screwing it up,” Krebs told me. “You might get sued or have to pay a few hundred million dollars in fines, but these are rounding errors on their profits.”
The European Union’s General Data Protection Regulation allows for a fine of up to 4% of a company’s annual revenue for an especially severe breach, but it’s unlikely that such a penalty could be legislated in the U.S. (If it were, AT&T might be liable for a bill of $4.9 billion.)
Krebs blames indifferent boards of directors for their inattention. Even a data-oriented company such as AT&T has no directors with specific expertise in cybersecurity. Of the nine directors in place as of the 2024 proxy statement, five are credited with experience in technology and innovation, according to what Villanova University business professor Noah Barsky correctly calls “perfunctory” language in their bios in the company’s 2024 proxy statement.
Only one, Stephen J. Luczo, is said to have any particular expertise in cybersecurity, but that’s only as a private equity investor — his background is in investment banking. The board’s newest member, Marissa Mayer, may have cybersecurity experience, but it’s not encouraging: During her tenure as CEO of Yahoo (2012 to 2017), that company experienced an epic data breach that compromised all 3 billion of its user accounts.
“It’s clear that industry is never going to do enough on its own” to protect customer data, Cahn says. The task may have to be placed in regulatory hands. Krebs suggests something akin to a cybersafety review board to introduce something close to accountability. Cahn suggests rules requiring the proactive deletion of sensitive information such as location data and medical records — “You can’t steal what doesn’t exist,” he told me.
The market may yet exercise its own discipline. UnitedHealth is learning the hard way that carelessness about cybersecurity can have a material effect on earnings. In its second-quarter earnings report released Tuesday, the company said that the full-year cost of the Change Healthcare hack may come to as much as $2.05 per share, an increase of as much as 45 cents from its original estimate. Its second-quarter earnings came to $4.54 per share.
But it’s customers who will really bear the costs. “Most Americans,” Krebs says, “have no choice but to do business with these companies if they want to participate in the modern society.”
Business
Waymo reports teen riders for bad behavior and delivers them to the police
Robotaxis could be turning into robocops.
A self-driving Waymo reported two teens to San Mateo, Calif., police on Monday after they were found drinking alcohol and shooting toy guns in the back of the vehicle.
According to a social media post from the San Mateo Police Department, officers detained two 15-year-olds after the Waymo they were riding in contacted the department and stopped in a parking lot until law enforcement arrived.
“Parents do you know where your teens are?” the San Mateo Police Department wrote on Facebook following the incident. “Waymo does!”
Officers removed both teens from the vehicle and determined they were using toy guns to shoot Orbeez out the windows. Orbeez are small, water-absorbing beads sold at toy stores.
“Toy guns, water guns, and BB guns all pose real dangers, especially to an untrained eye,” the Police Department said. “The simple handling of them can cause fear in [passersby].” “
A video posted on Facebook shows at least five officers and a police dog responding to the scene and approaching the Waymo with their weapons raised.
Waymo did not immediately respond to a request for comment.
Waymo vehicles have internal cameras and microphones that may be used in an emergency or to “promote safety and security,” according to Waymo’s online support page.
The cameras are also used to ensure the vehicles are clean and to help find lost items, according to the support page.
The company said it does not use facial recognition or other biometric identification technologies to identify individuals.
“In more urgent circumstances, support may access live video during a trip,” the Waymo page said.
The San Mateo Police Department’s Facebook post has garnered nearly 60 comments, with one user accusing Waymo of “snitching.”
“At least they got a designated driver?!” one user commented.
Business
Commentary: How right-wing anti-transgender attacks led to a Supreme Court ruling upholding sex discrimination
At the Supreme Court, the unfounded fear of boys masquerading as girls in youth sports rolled the clock back on gender equality.
On the surface, the Supreme Court’s June 30 opinion upholding state laws barring transgender girls from women’s and girl’s sports teams looks like a victory for women’s rights.
The 6-3 opinion by Justice Brett M. Kavanaugh certainly presents itself that way. “Females and males have inherent physical differences relevant to athletic performance,” Kavanaugh wrote. “Therefore, in contact sports, forcing female athletes to compete against males can create significant safety risks.” He also asserted that “forcing female athletes to compete against males can undermine competitive fairness.”
The ruling applied to prohibitions enacted in Idaho and West Virginia against “biological” males’ participation on women’s teams in public schools. Federal judges in both states overturned the bans. The Supreme Court majority restored them. The ruling essentially upholds similar bans enacted in 25 other states.
There was no record of any transgender person participating in school sports in the State, let alone any ‘problem’ with transgender students … creating unfair competition or unsafe conditions.
— Justice Sonia Sotomayor, demolishing the Supreme Court’s argument in favor of banning transgender girls from girl’s sports
Kavanaugh, like Donald Trump and others in the anti-transgender camp, maintained that one’s gender is an immutable fact of life, established even before birth.
Anything else, Trump stated in an executive order he issued on inauguration day 2025, could only be the product of “gender ideology extremism.” The U.S., his order stated, recognizes “two sexes, male and female. These sexes are not changeable and are grounded in fundamental and incontrovertible reality.” That’s a “biological truth,” he declared.
In his own version of this overconfident and factually insupportable conclusion, Kavanaugh wrote: “As all agree, females and males have inherent physical differences relevant to athletic performance.”
Science recognizes that some people are “born with sex traits that don’t fit into typical male or female patterns,” to cite a discussion on the Cleveland Clinic web page on the topic “intersex.” The condition “may involve chromosomes, hormones, reproductive organs or genitals.”
From a psychological standpoint, medical science recognizes “gender dysphoria” as a real condition often requiring counseling and medical intervention such as the use of puberty blockers and hormones to stave off the development of secondary sex characteristics until the condition can be resolved.
No one disputes that there are physical differences between the sexes. Few would dispute that on average or even at the median, males may be bigger and more powerful than females, or that in certain contact sports the difference may be telling and on occasion dangerous.
But that’s not the same as asserting that the physical differences between males and females invariably mean that men will invariably prevail over women in all competitions or that their participation will endanger women.
The International Olympic Committee — in a policy statement Kavanaugh cited incompletely — says that in “most running and swimming events,” males have a 10% to 12% advantage over women. That’s a range that would accommodate the full spectrum of outcomes — transgender females win, cisfemales win, they tie. (The “cis” prefix denotes those living consistent with their birth gender.)
West Virginia and Idaho addressed this ambiguity by banning transgender women from all girls’ teams. So under their rules transgender girls can’t play football or soccer with cisgirls. But what’s the argument in favor of banning them from the 100-yard dash, or cross-country track, or diving, or archery?
But something else is going on here. The Supreme Court’s ruling was almost preordained, given the years-long campaign by conservatives to demonize transgender individuals as if they’re members of an alien species.
It will be recalled that during his presidential campaign, Trump spun a despicable fantasy in which children were kidnapped in school and secretly subjected to sex-change operations.
Trump’s executive order wiped out policies aimed at protecting transgender adults from discrimination. He moved to outlaw gender-affirming medical therapies for anyone under 19 by cutting off federal funding for healthcare institutions that provide such care.
He banned transgender individuals from serving in the military and ordered federal prison officials to move transgender inmates into the general populations consistent with their birth genders, which exposes them to physical assault. (Federal Judge Royce Lamberth of Washington, D.C., has blocked the government from transferring three transgender women into the male prison population or terminating their hormone treatments.)
I wrote during Trump’s first term, when his anti-transgender policies were still gestating, that the goal was to show that “one can target any community, as long as it doesn’t have a strong political voice or political power. These are the actions of bullies and cowards, pretending to be strong.”
Last year, the Supreme Court struck its first blow against transgender rights by upholding a Tennessee law banning transgender care, including puberty blockers and hormone therapy, for minors. Similar laws have been enacted in 25 other states. The majority in that ruling by Chief Justice John G. Roberts Jr. was identical to the one in the June 30 ruling — Roberts, Kavanaugh, and Justices Clarence Thomas, Samuel A. Alito Jr., Neil M. Gorsuch and Amy Coney Barrett.
Who are the targets of this ideological campaign? They number only about 1.6 million U.S. adults, or one-half of 1% of the U.S. population. About 300,000 adolescents ages 13 to 17, or 1.4%, identify as transgender, according to a study by UCLA School of Law.
In West Virginia, as Justice Sonia Sotomayor observed in her dissenting opinion, “there was no record of any transgender person participating in school sports in the State, let along any ‘problem’ with transgender students … creating unfair competition or unsafe conditions.”
In endorsing the flat bans directed at transgender women in Idaho and West Virginia, Kavanaugh argued that any attempt to implement case-by-case judgments of students’ requests to join sports teams inconsistent with their biological gender would create “an enormous practical and administrability problem.”
Is that so? That wasn’t the case in Maine, where the annual K-12 population is more than 170,000. There, a committee was charged with determining whether a student’s participation in a sport consistent with their gender identity but inconsistent with their biological sex would “result in an unfair athletic advantage” or present a risk of injury to others. The committee held 56 hearings from 2013 through 2021, or an average of seven per year. During the entire time span, only four involved transgender girls. (The outcome of those hearings couldn’t be learned.)
It was Maine’s policy, one might recall, that provoked a confrontation between Trump and Maine Gov. Janet Mills at the White House last year, when Trump threatened to withhold federal funding from the state unless it barred transgender students from competing on women’s sports teams. “We’ll see you in court,” Mills snapped.
Whether the Idaho and West Virginia laws genuinely protect girls from unfair competition is questionable. (The Idaho law is styled the “Fairness in Women’s Sports Act.”) In practice, the laws may subject women in public schools to “invasive sex verification procedures,” as educational expert George Theoharis of Syracuse University wrote after the court ruling.
They’re also based on a retrograde view of women as fragile creatures needing men’s protection, Theoharis wrote — “the same logic that has historically been used to justify excluding women from making their own healthcare decisions and girls from rigorous math and science; that physically demanding work is simply beyond them.” (There don’t appear to be any state laws barring transgender women from competing in men’s sports.)
Becky Pepper-Jackson, the plaintiff in the West Virginia case, in which she is identified only as B.P.J., is the only transgender girl who sought to join girl’s teams — track and cross-country — in the state. That was in 2021, just after West Virginia passed its law and she was about to enter sixth grade. She didn’t appear to pose any competitive risk to others on the track and cross-country teams she applied to join — her lawyers told the Supreme Court that on those no-cut teams, she “came in near the back.”
Anyway, she had not gone through male puberty, which theoretically might have endowed her with a competitive advantage, because she had been taking puberty blockers and female hormones.
Thanks to the court’s ruling, Sotomayor observed in a dissent joined by Justices Elena Kagan and Ketanji Brown Jackson, West Virginia can deny Becky access to school sports “because it thinks they have an inherent athletic advantage, even if the facts show that they do not.”
B.P.J., Sotomayor wrote, “cannot practice on girls’ teams, even if she would not take anyone’s spot in an eventual competition, even if everyone who tries out for the team makes it, and even if having the chance to participate could aid immensely in treating B. P. J.’s gender dysphoria.”
So whose interest was really protected by the Supreme Court?
Business
Orange County real estate investor pleads not guilty in $100 million bank fraud case
An Orange County real estate investor accused of criminally defrauding an Arizona bank of nearly $100 million pleaded not guilty Monday and remains in custody.
Mahender Makhijani, 44, of Corona del Mar — who also was ordered by an arbitrator to pay $1.34 billion in a separate civil fraud case — was arraigned in Santa Ana federal court on two charges.
He is accused of bank fraud and making a false statement to a bank in a June 8 case involving a $100 million real estate loan made by Phoenix-based Western Alliance Bank. He was taken into custody on June 10.
Makhijani is accused of providing bogus collateral for the October 2024 loan now in default. In a civil lawsuit, Western Alliance said the outstanding balance as nearly $99 million.
Prosecutors say he falsified title insurance policies that showed the bank would have a first lien on the underlying collateral if the loan went bad, when in fact it did not.
A trial was set for August 11 before U.S. District Judge David O. Carter in Santa Ana.
Michael Schachter, his criminal defense attorney, did not respond to messages seeking comment.
In the civil case, an arbitrator in May ordered Makhijani to pay Laguna Beach real estate mogul Mohammad Honarkar $1.34 billion after ruling he had fraudulently induced him into a 2021 joint venture — and then wrested control and lost to creditors more than two dozen properties Honarkar had owned.
Makhijani has not been criminally charged in that case, but prosecutors alleged in an affidavit in support of the bank fraud charges that he used “force and threats” in his dealings with Honarkar and others — including taking over the landmark Hotel Laguna in 2023 that Honarkar was renovating.
Prosecutors sought to hold Makhijani without bail after his arrest.
The affidavit noted he is a legal Indian immigrant with a home and bank accounts in that country, has access to private jets and threatened to “run away” if caught in a difficult situation.
The request was denied and he was granted $500,000 bail.
However, Makhijani remains in custody after a hearing sought by prosecutors last month before Magistrate Judge Autumn Spaeth.
The judge declined to accept a $450,000 cashier’s check submitted by a Makhijani associate for the bail, finding insufficient proof the source of the funds was legitimate, according to court records.
Makhijani is not prominent outside Orange County real estate circles, but he established a thriving distressed-assets business over the last decade that attracted prominent Southern California real estate investors.
Prosecutors said it paid for a lifestyle that included two multimillion-dollar homes in Corona del Mar, a luxury apartment in Newport Beach and various luxury vehicles.
As of last month, prosecutors had not fully traced his assets, which they believe are not held in his name and some of which may be in India.
The businessman employed an array of shell companies and strawmen to sign documents on his behalf, and to stand in for him as operators of his companies, according to the affidavit.
Makhijani told an associate he took extra precautions because wanted to insulate himself from litigation and that “they were sharks in the distressed world who took advantage of people,” the affidavit stated.
-
Alaska2 minutes agoOpinion: Alaska’s whale-strike risk is growing while regulators keep studying the obvious
-
Arizona9 minutes agoArizona Lottery Mega Millions, Pick 3 Evening results for July 7, 2026
-
Arkansas12 minutes ago
Arkansas Lottery Mega Millions, Cash 3 winning numbers for July 7, 2026
-
California24 minutes agoCalifornia still hasn’t released Newsom’s Baby2Baby diaper contract as lawmakers weigh longer public records delays
-
Colorado27 minutes agoColorado River, public lands reopen as Snyder Fire containment increases
-
Connecticut32 minutes agoOpinion: A lifeline in CT’s childcare desert
-
Delaware39 minutes agoTalk & Film Bring Delaware’s Revolutionary Story to Life at Archives’ First Saturday Program – State of Delaware News
-
Florida42 minutes agoHeat alerts expand across Florida as dangerous temperatures return