The Weekly Breach Breakdown: It’s a Duck! – AT&T Customer Data Possibly Stolen; FTC Considers New Regulations

• This week, Hold Security and cybersecurity reporter Brian Krebs reported the discovery of a file containing the personal information of 23 million people. Indicators are that it was AT&T customer data that was stolen.
• AT&T says if that is the case, it did not come from them. The telecommunications company says the information does not appear to have come from their systems and that it may be tied to another incident with a different company
• If you are a concerned AT&T customer, the Identity Theft Resource Center (ITRC) suggests you freeze your credit, make sure you have 12+ character unique passphrases for each account, use a password manager and enable multi-factor authentication (MFA) with an app.
• In other news, the Federal Trade Commission (FTC) is considering cracking down on Commercial Surveillance and Lax Data Security Practices after a vote to seek public comment on whether or not new rules are needed. The process could take more than two years.
• To learn about data compromises, consumers and businesses should visit the ITRC’s improved data breach tracking tool, notified.
• If you believe you are the victim of an identity crime, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website idtheftcenter.org.

It’s a Duck!

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for August 12, 2022.  Each week, we look at the most recent events and trends related to data security and privacy. There are two bits of breaking news today that deserve some attention: a major data breach that, apparently, we’re going to need a DNA test to find its parent – and word from the Federal Trade Commission (FTC) that the agency may be ready to overhaul privacy regulations as we know them.

Let’s start with what appears to be the breach of 23 million customers of a major telecommunications company. Chance are you’ve heard the saying, “If it looks like a duck, walks like a duck, and quacks like a duck – it’s a duck.” Like all good clichés, there is a grain of truth in those words.

AT&T Customer Data Possibly Stolen & Placed on Dark Marketplace

This week, security firm Hold Security and cybersecurity reporter Brian Krebs reported the discovery in a dark marketplace of a file containing personal information on nearly 23 million people. The stolen data contained names, addresses, email addresses, phone numbers, Social Security numbers (SSNs) and dates of birth with indicators the information belongs to customers of AT&T.

Here’s where the duck analogy comes into play. While the data appears to be of AT&T customers, the company says if it is customer data, it didn’t come from them. In a written statement, AT&T explained to reporter Krebs:

“This information does not appear to have come from our systems. It may be tied to a previous data incident at another company. It is unfortunate that data can continue to surface over several years on the dark web.”

What Concerned AT&T Customers Should Do

Given this position, it is unlikely AT&T will issue data breach notifications. If you are a concerned AT&T customer, you should consider taking steps to make your personal information less useful to an identity thief attempting to misuse your stolen data.

1. Freeze your credit. Credit monitoring is helpful. However, it can’t stop someone from creating a new credit account. Freezing your credit
2. Use unique passphrases. Make sure you have long – 12 or more character – passwords, and each account has a unique password. That way, if one password is compromised, a criminal can’t access multiple accounts.
3. Use a password manager or the password manager feature in your mainstream browser to help create and keep track of all those passwords.
4. Enable multi-factor authentication (MFA) on your online accounts and use an authenticator app whenever possible.

FTC Could Consider New Regulations

The other major story this week involves an announcement from the FTC that the agency is considering cracking down on Commercial Surveillance and Lax Data Security Practices. In a 3-2 vote, the Commission issued what is known as an advanced notice of public rulemaking to seek public comment on whether new rules are needed to protect people’s privacy and information. The full rulemaking process, should the FTC decide to pursue new regulations, could take two or more years.

Contact the ITRC

You don’t have to wait years to contact the ITRC if you think you have been the victim of a data breach or other identity crime. Just visit our website at www.idtheftcenter.org. You can also speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Next week, we’re going to publish a new report for the first time that looks at overall identity trends based on the victims who contact us. Join us next week for our sister podcast, The Fraudian Slip, when ITRC CEO Eva Velasquez talks with our Chief Victim Officer Mona Terry about those trends.

We will return in two weeks with another episode of the Weekly Breach Breakdown.