Column: Why hugely profitable corporations won't spend enough to keep hackers from stealing your private info

AT&T is one of America’s largest telecommunications companies. Last year it recorded a pretax profit of nearly $20 billion on $122.4 billion in revenue.

So why, you might ask, has AT&T been so pathetically sloppy about protecting its customers’ private information that the data of nearly all those customers — 110 million users — ended up in the hands of a “financially motivated” hacker group?

The breach was revealed on July 12, although it mostly occurred in 2022; AT&T attributed the reporting delay to requests from federal authorities to keep it under wraps while they investigated its national security significance.

This breach, cybersecurity experts say, is especially alarming because of the nature of the stolen data. It’s not merely financial data such as bank account or Social Security numbers that might enable hackers to raid a victim’s bank account or engage in identity theft to open new accounts.

In this case, it included information about what numbers were called by hacked users and the numbers that called them; the length of calls, and location data — where you might have been when making or receiving a call. The data the hackers snarfed up came from May through October 2022 and Jan. 2, 2023.

“Telecom providers hold some of the most sensitive information on consumers — a map of their daily lives — where they are, who they’re talking with, their social graph, everything,” says cybersecurity professional Brian Krebs.

The latest disclosure of a hack at AT&T might be considered a signpost for “the year of the megabreach.”

It follows AT&T’s announcement in April of an earlier, unrelated breach that may have compromised the Social Security numbers, PINs, email and mailing addresses, phone numbers, dates of birth and AT&T account numbers of 73 million current and former AT&T customers.

Both AT&T incidents pale in comparison with a massive data breach earlier this year at UnitedHealth Group, the nation’s biggest health insurance and health provider conglomerate. According to congressional testimony by UnitedHealth Chief Executive Andrew Witty and company news releases, a ransomware attack on the company’s Change Healthcare subsidiary has affected as many as 1 in 3 Americans.

Change Healthcare manages patient payments and reimbursements to medical providers. The ransomware hack crippled medical services nationwide and resulted in the exposure of patients’ treatment details and billing information, including credit card numbers. Patients reported that pharmacies were refusing to fill prescriptions because they couldn’t access insurance approvals, risking the patients’ health.

UnitedHealth said it paid a $22-million ransom in bitcoin, but couldn’t be sure that all the hacked information was returned. It also said that it advanced about $9 billion to providers to cover their expenses before their billing could be restored.

The company told Congress that it already had in place “a robust information security program with over 1,300 people and approximately $300 million in annual investment,” but of course those figures are meaningless — the question is how much it would cost to actually have a “robust” program in place, since $300 million obviously isn’t enough.

The breach occurred, according to testimony and statements by the company, because UnitedHealth tried to integrate Change Healthcare’s technology system with its own without first ensuring that Change’s system would require multifactor authentication, a basic security feature that requires users to enter an algorithmically generated code along with their password to gain access to a system or account.

The hackers breached “a legacy Change Healthcare server” that didn’t meet the parent company’s standards, the company said — but it used the noncompliant equipment anyway.

Data breaches affecting hundreds of thousands or millions of consumers have become such familiar features of the consumer landscape that the guilty companies respond with a standard playbook replete with promises to customers.

They point out all the data that wasn’t compromised — AT&T told customers that the latest debacle didn’t involve “the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information.” That’s a bit like airlines following up reports of deadly crashes by pointing out how many planes land and take off safely every day.

The companies typically offer aggrieved customers free credit monitoring and identity theft protection for a period of time; at UnitedHealth, that period is two years.

Whether those services are useful is open to question — after a 2017 data breach at the credit reporting firm Equifax exposed the personal data of 143 million Americans, the identity theft service LifeLock trumpeted its protective services (at $29.99 a month). What LifeLock didn’t make very clear was that the services it was selling were actually provided byEquifax.

The breached companies also attest to their determination to get to the bottom of the hacks, and to their commitment to customer security. AT&T’s recent breach disclosure included this pledge: “Protecting your data is one of our top priorities.”

If there were a trophy for flagrant lying in marketing materials, this would be a strong contender. Under the circumstances, it’s either blatantly untrue or reflects a critical flaw in the company’s fulfillment of its priorities. I asked AT&T what steps it has taken to discipline or remove any executives charged with fulfilling such a crucial priority, up to and including the CEO. AT&T didn’t respond directly to this or other questions I submitted, but referred me to its news release and a customer Q&A on the topic.

AT&T says the breach occurred in a company connection to a third-party cloud data service called Snowflake, to which it had entrusted its customer data. As it happens, some 165 of Snowflake’s corporate clients may also have been targeted by the hackers who struck AT&T. An ongoing investigation by cybersecurity experts suggests, however, that the fault isn’t Snowflake’s — it’s the fault of those clients, who didn’t observe best security practices.

That points to several issues that contributed to AT&T’s breach — and similar breaches around the corporate world. One is why AT&T is hoarding so much information about its users in the first place.

“To have years of call histories, text message histories and location data makes you a massive target for hackers,” says Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, a New York nonprofit.

“Why does AT&T keep so much information on so many users?” Cahn asks. “They have a perverse incentive to hold on to as much of our data as possible, to think about new ways to mine it for value. When they do that, we’re the ones put at risk.”

In any event, if AT&T is going to store data this sensitive, he says, it needs to employ more rigorous safeguards to protect it.

Yet in corporate America, cybersecurity has been an afterthought, if it receives any thought at all. “These companies at some point decide that it’s really expensive to care a lot more about security when there really aren’t a lot of consequences for screwing it up,” Krebs told me. “You might get sued or have to pay a few hundred million dollars in fines, but these are rounding errors on their profits.”

The European Union’s General Data Protection Regulation allows for a fine of up to 4% of a company’s annual revenue for an especially severe breach, but it’s unlikely that such a penalty could be legislated in the U.S. (If it were, AT&T might be liable for a bill of $4.9 billion.)

Krebs blames indifferent boards of directors for their inattention. Even a data-oriented company such as AT&T has no directors with specific expertise in cybersecurity. Of the nine directors in place as of the 2024 proxy statement, five are credited with experience in technology and innovation, according to what Villanova University business professor Noah Barsky correctly calls “perfunctory” language in their bios in the company’s 2024 proxy statement.

Only one, Stephen J. Luczo, is said to have any particular expertise in cybersecurity, but that’s only as a private equity investor — his background is in investment banking. The board’s newest member, Marissa Mayer, may have cybersecurity experience, but it’s not encouraging: During her tenure as CEO of Yahoo (2012 to 2017), that company experienced an epic data breach that compromised all 3 billion of its user accounts.

“It’s clear that industry is never going to do enough on its own” to protect customer data, Cahn says. The task may have to be placed in regulatory hands. Krebs suggests something akin to a cybersafety review board to introduce something close to accountability. Cahn suggests rules requiring the proactive deletion of sensitive information such as location data and medical records — “You can’t steal what doesn’t exist,” he told me.

The market may yet exercise its own discipline. UnitedHealth is learning the hard way that carelessness about cybersecurity can have a material effect on earnings. In its second-quarter earnings report released Tuesday, the company said that the full-year cost of the Change Healthcare hack may come to as much as $2.05 per share, an increase of as much as 45 cents from its original estimate. Its second-quarter earnings came to $4.54 per share.

But it’s customers who will really bear the costs. “Most Americans,” Krebs says, “have no choice but to do business with these companies if they want to participate in the modern society.”