I'm more stunned that AT&T knew back on Apr 19 [UPDATE: Mar 20] yet feels it had neither an SOX violation or SEC obligation (share price effect) to notify timely. Like, by Apr 22. Not three months later [UPDATE: 4 months later].
Remember the massive Yahoo 2014 hack which Yahoo management failed to notify its own users for 2 years?
If SOX violation only literally covers users' own passwords getting breached, but not 2FA or other passwords to access the same data, will Congress amend it urgently?
EDIT: apparently they're hiding behind the 3/20 disclosure [0] which is all they disclosed until [1],[2] today.
> "AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web; source is still being assessed...
> "AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the data set appears to be from 2019 or earlier [incorrect], impacting... approx 7.6m current and 65.4m former AT&T account holders"*
> "Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set.... As of today, this incident has not had a material impact on AT&T’s operations."* [but did it have a material impact on the customers/ex-customers?!]
> "Based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of customers of [AT&T’s cellular and (MVNOs) using AT&T’s wireless network], as well as AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022 - October 31, 2022. The compromised data also includes records from January 2, 2023, for a very small number of customers. The records identify the telephone numbers an AT&T or MVNO cellular number interacted with during these periods. For a subset of records, one or more cell site identification number(s) associated with the interactions are also included."
Subsequent reporting reveals that the DOJ ordered two ~month-long "delay periods" in disclosure:
> The Justice Department determined on May 9 and again on June 5 that a delay in providing public disclosure was warranted, so the company is now timely filing the report.
> The company [AT&T] is working with law enforcement and believes at least one person has been apprehended, according to the filing. It does not expect the event to have a material impact on its financials.
Remember the massive Yahoo 2014 hack which Yahoo management failed to notify its own users for 2 years?
If SOX violation only literally covers users' own passwords getting breached, but not 2FA or other passwords to access the same data, will Congress amend it urgently?
EDIT: apparently they're hiding behind the 3/20 disclosure [0] which is all they disclosed until [1],[2] today.
[0]: March 30, 2024 - "AT&T Addresses Recent Data Set Released on the Dark Web" https://about.att.com/story/2024/addressing-data-set-release...
> "AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web; source is still being assessed...
> "AT&T has launched a robust investigation supported by internal and external cybersecurity experts. Based on our preliminary analysis, the data set appears to be from 2019 or earlier [incorrect], impacting... approx 7.6m current and 65.4m former AT&T account holders"*
> "Currently, AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set.... As of today, this incident has not had a material impact on AT&T’s operations."* [but did it have a material impact on the customers/ex-customers?!]
[1]: Jul 12, 2024 - "AT&T Addresses Recent Incidents Regarding Access to Data" https://about.att.com/pages/data-incident.html
[2]: Jul 12, 2024 - "AT&T Addresses Illegal Download of Customer Data" https://about.att.com/story/2024/addressing-illegal-download...
> "Based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of customers of [AT&T’s cellular and (MVNOs) using AT&T’s wireless network], as well as AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022 - October 31, 2022. The compromised data also includes records from January 2, 2023, for a very small number of customers. The records identify the telephone numbers an AT&T or MVNO cellular number interacted with during these periods. For a subset of records, one or more cell site identification number(s) associated with the interactions are also included."