Auxiom Logo Outsmart Chaos Gold

AT&T Data Breach


(0:04) I’m Earl Duby, I’m the CISO at Auxiom. I’ve been getting a lot of questions over the last couple days about this AT&T data breach and I just wanted to take a few minutes just to answer the questions that I’ve been getting and just talk about what we can do now that we know about this. So, like the first thing to remember is this breach apparently happened like five years ago. 

(0:29) So the data that was taken, the 73 million records that were stolen, were apparently from before 2019. And at the time AT&T disavowed it, said it wasn’t really them, that it was potentially a third party that had the data that lost it.  

(0:50) Then fast forward a couple years to I think 2021, that data made itself or made its way out to the dark web and again AT&T said nope, wasn’t us, must have been a third party that that lost that data. 

(1:07) And then you fast forward again to basically a week or two ago when another researcher discovered a bunch more this data setting out there and said hey this really looks like AT&T data. I think AT&T is now backed into a corner where there’s 73 million records out there of data that looks very specific to the AT&T website.  

(1:29) And one of these researchers actually went out and found like 50 people off the list and said hey if you look at this data, could this data have been anywhere else other than AT&T? And all of these people said nope, these are the email addresses that we use just for AT&T accounts, or these are the passwords that we use just for AT&T. 

(1:48) So they pretty well determined that this is in fact from AT&T. So regardless of whether the company wants to admit it or not, it really appears that this data is from a AT&T breach most likely from five years ago.  

(2:07) So that gets to the next question of all right so what are we supposed to do with this? So now we know that five years ago we potentially were you know breached in and we had this data taken. 

(2:23) So for the 73 million people you know this is what’s really crazy about this particular breach just in the way that AT&T is being very dodgy about how they’re addressing this is we don’t actually even know what data was taken because it appears that it’s been different for each group of people  

(2:40) because there’s there were former customers, current customers, and there’s like different tranches of data that were part of these 73 million and so some customers it looks like had everything taken including their social security number. Whereas others maybe didn’t have their social security numbers taken.  

(3:07) So just because you were a customer of AT&T five years ago you don’t actually know what data was taken yet. 

(3:12) So now you got to wait for AT&T to contact you and say hey here’s what was taken specifically of yours which is a very uncomfortable position to be in.  

(3:23) One way that you can actually figure out like how much of your data was breached is to go to a website called “have I been pwned”. And if you go to that website, you can put your email address in there or the email address that you think you used when you were with AT&T and it will tell you what data was potentially taken. 

(3:43) Short of that you have to wait for AT&T to send you an email or send you a letter or send you something and have them explain what was taken.  

(3:53) Once you understand what was taken you can kind of put together an action plan because it’s kind of hard to put a plan together when you don’t know exactly what data was taken. But if your social security number was taken, you’re kind of in the worst possible situation because you can’t do much about that other than you know what I would suggest you do is you do a freeze on your credit bureau. 

(4:17) So you go to one of the three credit bureaus, and you put a freeze in and then that kind of propagates its way to the other two. But put a data freeze or a credit freeze on and then you know take whatever free credit monitoring AT&T is going to give you, you know, take the two years but I think all of us have to come to the realization that we’re going to have credit monitoring for the rest of our life.  

(4:39) So you just have to kind of come to terms with the idea that you’re going to be paying $30 a year or whatever it is just to continuously monitor your personal data because if it’s AT&T five years ago or LinkedIn before that or Home Depot or you know you name it you know there’s a breach going on pretty much every single day of the rest of our lives and so you might as well just you know get the credit monitoring take the free and then when it runs out just renew it and keep going with it because you know who knows when the next one’s coming. 

(5:23) So freeze your credit, take the credit monitoring, the other thing is, you know, if you have a password that you are using for your AT&T account, that’s pretty well gone, you know, that’s public information now and so hopefully you did not reuse that password anywhere else and you know, again, this is why it’s a little bit weird that we’re talking about a data breach from five years ago because the reality is whatever was going to happen probably has already happened.  

(5:52) But this is just a reminder of, you know, how you can do things you know as we go forward so don’t reuse passwords it’s kind of the main point here so if you’re using a password for AT&T don’t use the same password for your bank or for you know your car loan or whatever you know try to use disposable passwords at each kind of different point.  

(6:21) Now I something I do is you know I have kind of my cheap passwords that I use for stupid websites like, you know, newsletters and things like that which are you know a little bit you know lower quality and shorter but when you get into things that actually matter where financial information is involved or you know personal information definitely come up with highly complex passwords put them in a password manager and don’t use them for any other sites. 

(6:51) Because typically how these adversaries work is they’ll breach one site grab your email which is also, you know, doubles as your account name in most websites so they grab your password, your email address, they load it into an automated tool and then they just start spraying that all over the internet trying to find other accounts that that combination works in.  

(7:13) Those are called password spraying you know attacks so you want to avoid reusing the same password in multiple sites because obviously you can’t do much about the email address, but you can have multiple email addresses to I have multiple email addresses and so you can kind of use different email addresses for different sensitivity levels of websites. 

(7:40) So you know you can do some of that and then you know monitor your credit reports, you know, make sure you’re looking at that on a monthly basis, you know, just to see if any new credit was opened up now if you had your credit freeze on, you shouldn’t have to worry about that.  

(7:58) But you still want to look at the reports and look at you know and monitor that pretty actively, so I think that just the whole thing is we got to become much more active in how we manage our own personal data and our own financial statistics, and you know we have to be more active in that. 

(8:20) I know in the past you just kind of said hey, I got a FICO score and when I go sign up for my car loan I’ll figure out what it is that that doesn’t work anymore just because there’s so much crime going on out there you have to actively be engaged in your own information.  

(8:36) So with that, you know, hopefully those are some good pointers that you can take away, you know, and hopefully you’re not part of the 73 million AT&T records that were stolen. 

(8:45) But chances are you were, and chances are you were part of many other data breaches.  

(8:54) Actually, you know, talking about the “have I been pwned” site, you know, I just threw my email address in there and found out, you know, I was part of eight breaches over the last five years, you know, and some of them I knew about but what is this I didn’t know this data breach happened and somehow I got caught up into that. 

(9:14) Just because a third party, you know, was involved in some transaction and I didn’t know they’re involved in it, so, you know, just because you weren’t part of the, you know, X Y or Z breach that you see on the on TV or you don’t think you were part of that with all these third-party relationships that are going on, chances are companies that you don’t even know of hold your personal information and you might not even know about that until you get a letter in the mail.  

(9:37) So that’s why it’s important to take a more active role in managing your data and do the things we just talked about and hopefully that will keep you more secure. Thanks. 


Related Posts

Duo Breach

The well-known multi-factor application Duo was recently breached. Chief information security officer, Earl Duby, shares some more details on the beach.

Read More »