The leaders of California’s embryonic hydrogen hub announced Wednesday that they have signed a contract with the U.S. Department of Energy worth billions.

The California hub is part of a $7-billion federal project to build the infrastructure for a “clean” hydrogen economy to replace fossil fuels and reduce greenhouse gas emissions. The California hub — known as ARCHES, or the Alliance for Renewable Clean Hydrogen Energy Systems — will net $1.2 billion of that federal money, with plans to bring in another $11.2 billion in private investment. California was awarded hub status in October.

Private participants include oil and gas companies, labor unions, fuel cell makers, electric utilities, truck manufacturers and more.

A hydrogen hub is a network of hydrogen production plants, trucks and pipelines for distribution, and customers that include long-haul fuel cell trucks and buses, port equipment and electric generators.

ARCHES is the first of seven U.S. regional hubs to sign a contract with the Department of Energy.

In a news release, ARCHES Chief Executive Angelina Galiteva called the hub “a monumental step forward in the state’s effort to achieve its air qualify, climate and energy goals, while improving the health and well-being of Californians, and creating green jobs across the state.”

ARCHES board member Bill Burke was even more effusive: The hub’s creation serves as “a testament to our collective dream of a sustainable future where clean energy and equal opportunity uplift every community and provide equitable advancement for the future of our workforce. Together, we are planting seeds of change and nurturing a brighter, more inclusive tomorrow.”

Whether ARCHES can deliver remains to be seen. Clean hydrogen is enormously expensive, with prices far too high to compete against fossil fuels in a competitive market economy. The aim is to subsidize the cost of hydrogen fuel until the industry reduces costs and grows big enough to stand on its own. Galiteva said hydrogen fuel prices could be competitive by 2032.

Some environmentalists are wary of hydrogen, claiming it’s not as clean as its proponents make it out to be. That issue is sure to be debated as ARCHES moves forward. Depending on how the hydrogen is made, it could provide cleaner energy alternatives for hard-to-decarbonize sectors, such as steelmaking and cement production.

California’s hydrogen projects will be located around the state, though heavily concentrated in the Central Valley. Trucks and pipelines will carry hydrogen to end users.

The money will be handed out to dozens of individual, although tightly coordinated, projects. They’ll include 10 hydrogen production sites, truck fueling stations, replacement of diesel-powered cargo-handling equipment at the state’s major ports and experimental prototypes for uses such as ocean shipping.

ARCHES said 220,000 well-paying jobs will be created, with special attention to disadvantaged communities. The hub “will create thousands of union careers while providing continued employment for for existing skilled and trained union members,” said Chris Hannan, president of the State Building and Construction Trades Council of California and a member of the ARCHES board.

Reduction in local pollutants will result in $2.95 billion per year in decreased healthcare costs, ARCHES said.

ARCHES is not a government body but a public-private partnership. It’s registered as a limited liability company, or LLC, with four partners: the California Governor’s Office of Business and Economic Development, the University of California system, the State Building and Construction Trades Council of California and the Renewables 100 Policy Institute.

AT&T is one of America’s largest telecommunications companies. Last year it recorded a pretax profit of nearly $20 billion on $122.4 billion in revenue.

So why, you might ask, has AT&T been so pathetically sloppy about protecting its customers’ private information that the data of nearly all those customers — 110 million users — ended up in the hands of a “financially motivated” hacker group?

The breach was revealed on July 12, although it mostly occurred in 2022; AT&T attributed the reporting delay to requests from federal authorities to keep it under wraps while they investigated its national security significance.

This breach, cybersecurity experts say, is especially alarming because of the nature of the stolen data. It’s not merely financial data such as bank account or Social Security numbers that might enable hackers to raid a victim’s bank account or engage in identity theft to open new accounts.

In this case, it included information about what numbers were called by hacked users and the numbers that called them; the length of calls, and location data — where you might have been when making or receiving a call. The data the hackers snarfed up came from May through October 2022 and Jan. 2, 2023.

“Telecom providers hold some of the most sensitive information on consumers — a map of their daily lives — where they are, who they’re talking with, their social graph, everything,” says cybersecurity professional Brian Krebs.

The latest disclosure of a hack at AT&T might be considered a signpost for “the year of the megabreach.”

It follows AT&T’s announcement in April of an earlier, unrelated breach that may have compromised the Social Security numbers, PINs, email and mailing addresses, phone numbers, dates of birth and AT&T account numbers of 73 million current and former AT&T customers.

Both AT&T incidents pale in comparison with a massive data breach earlier this year at UnitedHealth Group, the nation’s biggest health insurance and health provider conglomerate. According to congressional testimony by UnitedHealth Chief Executive Andrew Witty and company news releases, a ransomware attack on the company’s Change Healthcare subsidiary has affected as many as 1 in 3 Americans.

Change Healthcare manages patient payments and reimbursements to medical providers. The ransomware hack crippled medical services nationwide and resulted in the exposure of patients’ treatment details and billing information, including credit card numbers. Patients reported that pharmacies were refusing to fill prescriptions because they couldn’t access insurance approvals, risking the patients’ health.

UnitedHealth said it paid a $22-million ransom in bitcoin, but couldn’t be sure that all the hacked information was returned. It also said that it advanced about $9 billion to providers to cover their expenses before their billing could be restored.

The company told Congress that it already had in place “a robust information security program with over 1,300 people and approximately $300 million in annual investment,” but of course those figures are meaningless — the question is how much it would cost to actually have a “robust” program in place, since $300 million obviously isn’t enough.

The breach occurred, according to testimony and statements by the company, because UnitedHealth tried to integrate Change Healthcare’s technology system with its own without first ensuring that Change’s system would require multifactor authentication, a basic security feature that requires users to enter an algorithmically generated code along with their password to gain access to a system or account.

The hackers breached “a legacy Change Healthcare server” that didn’t meet the parent company’s standards, the company said — but it used the noncompliant equipment anyway.

Data breaches affecting hundreds of thousands or millions of consumers have become such familiar features of the consumer landscape that the guilty companies respond with a standard playbook replete with promises to customers.

They point out all the data that wasn’t compromised — AT&T told customers that the latest debacle didn’t involve “the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information.” That’s a bit like airlines following up reports of deadly crashes by pointing out how many planes land and take off safely every day.

The companies typically offer aggrieved customers free credit monitoring and identity theft protection for a period of time; at UnitedHealth, that period is two years.

Whether those services are useful is open to question — after a 2017 data breach at the credit reporting firm Equifax exposed the personal data of 143 million Americans, the identity theft service LifeLock trumpeted its protective services (at $29.99 a month). What LifeLock didn’t make very clear was that the services it was selling were actually provided byEquifax.

The breached companies also attest to their determination to get to the bottom of the hacks, and to their commitment to customer security. AT&T’s recent breach disclosure included this pledge: “Protecting your data is one of our top priorities.”

If there were a trophy for flagrant lying in marketing materials, this would be a strong contender. Under the circumstances, it’s either blatantly untrue or reflects a critical flaw in the company’s fulfillment of its priorities. I asked AT&T what steps it has taken to discipline or remove any executives charged with fulfilling such a crucial priority, up to and including the CEO. AT&T didn’t respond directly to this or other questions I submitted, but referred me to its news release and a customer Q&A on the topic.

AT&T says the breach occurred in a company connection to a third-party cloud data service called Snowflake, to which it had entrusted its customer data. As it happens, some 165 of Snowflake’s corporate clients may also have been targeted by the hackers who struck AT&T. An ongoing investigation by cybersecurity experts suggests, however, that the fault isn’t Snowflake’s — it’s the fault of those clients, who didn’t observe best security practices.

That points to several issues that contributed to AT&T’s breach — and similar breaches around the corporate world. One is why AT&T is hoarding so much information about its users in the first place.

“To have years of call histories, text message histories and location data makes you a massive target for hackers,” says Albert Fox Cahn, executive director of the Surveillance Technology Oversight Project, a New York nonprofit.

“Why does AT&T keep so much information on so many users?” Cahn asks. “They have a perverse incentive to hold on to as much of our data as possible, to think about new ways to mine it for value. When they do that, we’re the ones put at risk.”

In any event, if AT&T is going to store data this sensitive, he says, it needs to employ more rigorous safeguards to protect it.

Yet in corporate America, cybersecurity has been an afterthought, if it receives any thought at all. “These companies at some point decide that it’s really expensive to care a lot more about security when there really aren’t a lot of consequences for screwing it up,” Krebs told me. “You might get sued or have to pay a few hundred million dollars in fines, but these are rounding errors on their profits.”

The European Union’s General Data Protection Regulation allows for a fine of up to 4% of a company’s annual revenue for an especially severe breach, but it’s unlikely that such a penalty could be legislated in the U.S. (If it were, AT&T might be liable for a bill of $4.9 billion.)

Krebs blames indifferent boards of directors for their inattention. Even a data-oriented company such as AT&T has no directors with specific expertise in cybersecurity. Of the nine directors in place as of the 2024 proxy statement, five are credited with experience in technology and innovation, according to what Villanova University business professor Noah Barsky correctly calls “perfunctory” language in their bios in the company’s 2024 proxy statement.

Only one, Stephen J. Luczo, is said to have any particular expertise in cybersecurity, but that’s only as a private equity investor — his background is in investment banking. The board’s newest member, Marissa Mayer, may have cybersecurity experience, but it’s not encouraging: During her tenure as CEO of Yahoo (2012 to 2017), that company experienced an epic data breach that compromised all 3 billion of its user accounts.

“It’s clear that industry is never going to do enough on its own” to protect customer data, Cahn says. The task may have to be placed in regulatory hands. Krebs suggests something akin to a cybersafety review board to introduce something close to accountability. Cahn suggests rules requiring the proactive deletion of sensitive information such as location data and medical records — “You can’t steal what doesn’t exist,” he told me.

The market may yet exercise its own discipline. UnitedHealth is learning the hard way that carelessness about cybersecurity can have a material effect on earnings. In its second-quarter earnings report released Tuesday, the company said that the full-year cost of the Change Healthcare hack may come to as much as $2.05 per share, an increase of as much as 45 cents from its original estimate. Its second-quarter earnings came to $4.54 per share.

But it’s customers who will really bear the costs. “Most Americans,” Krebs says, “have no choice but to do business with these companies if they want to participate in the modern society.”

The greatest plot twists lie at the end of a long trail of clues, dramatically revealing an answer hidden in plain sight all along.

The marketing campaign for independent distributor Neon’s surprise horror smash, “Longlegs,” took that concept a step further.

Breadcrumbs — in the form of enigmatic trailers, chilling phone messages, encrypted newspaper ads, fake blog posts and other stunts — littered the promotional path to “Longlegs.” And audiences took the bait, handing New York-based Neon its biggest opening ever as well as the best launch for an independent horror flick in a decade.

The R-rated title — which cost less than $10 million to make and promote, according to the studio — premiered at No. 2 last weekend with $22.6 million in domestic ticket sales.

Its performance “seemingly came out of nowhere,” said Comscore senior media analyst Paul Dergarabedian, especially when sandwiched between safer, flashier pushes for major studio films such as “Despicable Me 4” and “Twisters.”

“If you had talked to people a month ago and said, ‘Is this movie “Longlegs” on your list of films to be one of those sleeper, surprise hits?’ they’d say, ‘What’s “Longlegs”?’” Dergarabedian said.

“Getting audiences on board like this is not easy,” he added. “The way you entice that audience is to do something that goes above and beyond the ordinary … and they certainly did that.”

Helmed by Osgood Perkins (son of the late horror great Anthony Perkins), “Longlegs” stars veteran scream queen Maika Monroe as an FBI agent investigating a series of gruesome homicides. Nicolas Cage plays the film’s titular bogeyman — but you wouldn’t necessarily know that from the marketing materials, which deliberately obscure the actor’s face.

He’s barely shown in the main trailer, which reveals little about the plot. (The studio scrapped its original plan for a more conventional preview after audiences responded enthusiastically to an early, cryptic teaser.)

“It increases the intrigue,” said Monica Koyama, an entertainment marketing expert and communication management professor at USC.

“I mean, he’s definitely frightening in the film. But … sometimes what’s in your head is scarier than what shows up onscreen.”

In an added effort to sell audiences on the fear factor, Neon released a recording of Monroe’s heartbeat spiking from 76 beats per minute
to 170 while filming her first scene with Cage as Longlegs. The studio pulled the audio from a microphone taped to Monroe’s chest after a conversation with Perkins — who deliberately separated the actors before shooting that sequence and said Monroe’s heart was racing during the encounter.

“It’s so simple,” Koyama said. “They gave us data. … ‘We’re saying this is scary. Here’s the actual raw data from the actress.’”

It’s all part of Neon’s ploy to place moviegoers in the shoes of the protagonist.

The success of “Longlegs” is “a testament to the wildly creative, exciting film [that director] Osgood Perkins and his fantastic group of collaborators created,” Elissa Federoff, president of distribution at Neon, said in a statement to The Times.

“We couldn’t be happier with the results, and we look forward to continuing our relationship with Osgood and his team of producers, all of whom have allowed us the freedom to build a campaign we believe in.”

Koyama suspected that Neon intentionally blurred the lines between the horror and crime genres to appeal to a wider audience. She also credited plenty of tried-and-true advertising moves — such as quoting rave reviews calling it one of the scariest movies in years — with getting “Longlegs” over the line.

“This is going to reignite the creativity within marketing,” Koyama said. “I’m hoping studios will feel more excited about taking chances.”