The AT&T breach: Lessons for the mid-market
In early July 2024, telecommunications company AT&T disclosed in an SEC filing that hackers had stolen nearly all records of customer calls and texts between May 1 and October 31, 2022, as well as data from a single day in January 2023, which led to a $13 million settlement with the Federal Communications Commission (FCC).
The content of these communications wasn't compromised, but the breach exposed metadata that can provide a revealing picture of a customer's activities.
These records show the frequency and timing of everyone with whom a person communicated using phone calls or short message service (SMS). As two U.S. Senators noted, The stolen information can easily provide cybercriminals, spies, and stalkers a logbook of the communications and activities of AT&T customers over several months, including where those customers live and traveled a stunning and dangerous breach of its customers' privacy and intrusion into their personal lives.
While AT&T is a large publicly-traded company, many cybersecurity lessons are apparent in the aftermath of the breach. Here are some key points for the mid-market:
Data retention requires a balance
AT&T reportedly retains call records for 5-7 years. These records, which amount to billions of entries, can support critical business functions such as:
- Training artificial intelligence models
- Adjusting pricing and packaging
- Making sales to third parties
With that said, the retention, analysis, and sale of this information has substantial privacy implications.
On top of those, however, there is also the more basic cybersecurity problem that retaining data for longer periods of time necessarily increases your risk. As we've written before, it is simply impossible to steal data that a company doesn't have.
SMBs here should take a lesson from this incident to review things like how:
- Much information they collect from leads and customers
- Long they keep it, and how they protect it
- They ensure it's destroyed
And interestingly enough, because AT&T only keeps the contents of text messages for 90 days, this may have prevented the attackers from stealing them.
Regulators are getting involved in data breaches and their fallout
AT&T was required to disclose the breach within four business days of determining that it was material under recently implemented Securities and Exchange Commission (SEC) regulations.
The company discovered the breach earlier in 2024, but delayed public notification to avoid posing a potential risk to national security and public safety, as noted by the U.S. Department of Justice.
While larger companies have entire teams designed to navigate these compliance requirements, smaller companies are usually not as lucky. This doesn't mean the government is ignoring them. In 2022, the Federal Trade Commission (FTC) fined the company Drizzly and sanctioned its CEO in his personal capacity following a data breach. The FTC alleged the company:
- Failed to implement basic security measures
- Stored login credentials using GitHub
- Didn't monitor for threats
Mid-market companies should take note of these incidents and ensure they have effective and actionable:
- Security policies and risk management programs
- Employee training and awareness plans
- Cybersecurity controls
Consider using encrypted messenger applications that don't retain metadata
One group of people who weren't impacted (or suffered less) from the AT&T hack were those who use over-the-top messaging applications like iMessage or Signal. Both of these tools apply end-to-end encryption, making it extremely difficult for any third party to read the content of the messages.
iMessages, however, do leave a trail of metadata that can be hacked or subpoenaed. This isn't a concern for most people at first glance. But this type of information can reveal business-critical information such as:
- Messages between executives at different companies during mergers and acquisitions.
- Negotiations with a prominent CEO who plans to take charge of the business.
- Contact with regulators or members of the media prior to a major event.
Thus, security-conscious firms might especially consider using Signal. Maintained by a nonprofit organization, the Signal messenger app encrypts even the metadata of user communications. This would make its users even more resistant to attacks like what AT&T faced.
Conclusion
2024 has witnessed a series of enormous breaches hitting companies. Change Healthcare and AT&T are merely the most prominent names to wind up in the news.
While eliminating risk is impossible, mid-market companies can do so effectively. And they can do so in an economical way that supports business operations. Simple measures can substantially reduce your risk, including:
- Tracking and managing risks in a single register
- Automatically tracking SaaS integrations
- Monitoring cloud security
- Training employees
The good news is that the Scrut platform is designed to help do just this for mid-market companies. We give you the tools and expertise necessary to keep your data secure, protect your customers, and get on with your business.
Want to learn more? Book a demo now!
Ready to see what security-first GRC really looks like?
Ready to see what security-first GRC really looks like?
Ready to see what security-first GRC really looks like?
See what a real security- first GRC platform looks like
Ready to see what security-first GRC really looks like?
Focus on the traveler experience. We’ll handle the regulations.
Get Scrut. Achieve and maintain compliance without the busywork.
Choose risk-first compliance that’s always on, built for you, and never in your way.
Ready to see what security-first GRC
One platform, every framework. No more duplicate work.
You can’t manage user access if you’re always playing catch-up.
Explore the future of enterprise GRC
Tired of chasing vendors for risk assessments?
Join the thousands of companies automating their compliance with Scrut.
The right partner makes all the difference. Let’s grow together.
Make your business easy to trust, put security transparency front and center.
Risk-first security starts with risk-first visibility.
Secure your team from the inside out.
Don't settle for slow, expensive compliance. Get Scrut instead.
Risk-first compliance for forward-thinking teams.
Audits without the back-and-forth. Just seamless collaboration.
Scale fast. Stay compliant. Automate the rest.
Compliance? Done and dusted, in half the time.
Get ahead of GDPR compliance before it becomes a problem.
Outgrowing table-stakes compliance? Create custom frameworks with ease.
Navigate SOC 2 compliance, minus the stress.
PCI DSS compliance, minus the panic.
Take the wheel of your HIPAA certification journey today.
We’ve got what you need to fast-track your ISO 27001 certification.
Make your NIST AI RMF journey as smooth as possible.
Your GRC team, multiplied and AI-backed.
Modern compliance for the evolving education landscape.
Ready to simplify healthcare compliance?
Don’t let compliance turn into a bottleneck in your SaaS growth.
Find the right compliance frameworks for your business in minutes
Ready to see what security-first GRC really looks like?
Real-time visibility into every asset
Ready to simplify fintech compliance?
The Scrut Platform helps you move fast, stay compliant, and build securely from the start.
Scrut helps you set up a security program that scales with your business and stands up to audits. Without last-minute chaos.
Scrut helps you streamline audits, close deals faster, and stay ahead of risk without slowing down your team. Because trust shouldn’t take months to earn.
Scrut helps you set up a security program that scales with your business and stands up to audits. Without last-minute chaos.
Tag, classify, and monitor assets in real time—without the manual overhead.
Whether you're entering new markets or launching new products, Scrut helps you stay compliant without slowing down.
Scrut pulls compliance data straight from the tools you already use—so you don’t have to dig for evidence, chase approvals, or manually track controls.
Less manual work, more customizability. The Scrut Platform gives you everything you need to align your compliance to your business’s priorities.
With Scrut, you’re not just adding a tool to your offering—you’re adding a competitive edge. Join our Partner Network and help your clients streamline their GRC program.
Gaining trust is your first step to growing and cracking better deals. The Scrut Platform comes pre-built with all the tools you need to showcase a firm security posture and build confidence.
Don’t settle for rigid systems—Scrut ensures your risk management strategy is as flexible as your business needs.
Start building a security-first culture. Save your operations from improper training and a lack of compliance awareness.
Scrut fast-tracks compliance so you can focus on scaling, not scrambling. Automate compliance tasks and accelerate enterprise deals—without the grind.
Automate assessments, track compliance, and get full visibility into third-party risk—all in one place.
Scrut automates compliance tasks, supports proactive risk management, and saves you time, so you can focus on growing your business. Start building trust with customers and scaling confidently.
Leave legacy GRC behind. Meet the AI-powered platform built for teams managing risk and compliance in real time.
Give auditors direct access, keep track of every request, and manage audits effortlessly—all in one place.
Scrut ensures access permissions are correct, up-to-date, and fully compliant.
Whether you need fast results or a fully tailored program mapped to your risks and needs, Scrut delivers exactly what you need, when you need it. Ready to start?
Scrut unifies compliance across all your frameworks, so you can stop juggling systems and start scaling securely.
Manually managing your compliance processes and audits can get inefficient and overwhelming. Scrut automates these outdated, manual processes and eliminates your last-minute worries.
Access automated compliance, real-time risk tracking, and expert-backed support—all in one platform. Get started with Scrut!
Less manual work, more customizability. The Scrut Platform gives you everything you need to align your compliance to your business’s priorities.
The Scrut Platform helps you move fast, stay compliant, and build securely from the start.
Earn trust and back it up with solid evidence. Scrut takes you through the SOC 2 compliance journey step-by-step, navigating every complexity you face.
Manage your PCI DSS compliance with real-time monitoring and effortless automation. Get started with Scrut today!
Securing your PHI shouldn’t be a constant hassle. Scrut automates your workflows—from risk assessments to monitoring—so you can put your compliance worries on the back burner.
Automate security controls, simplify audits, and keep your ISMS aligned with the latest standards. Get started with Scrut!
Tackle potential AI risks with NIST AI RMF-compliant controls and get expert support every step of the way.
Offload the grunt compliance work to us. Execute manual, draining GRC tasks with the reliable AI-powered Scrut Teammates without switching contexts or bottlenecks.
Whether you're managing student data, partnering with educational institute, or expanding to new geographies—Scrut gives you the tools to stay compliant, manage risk, and build trust at every step.
Scaling healthcare doesn’t have to come at the cost of security. Scrut keeps your organization compliant, audit-ready, and protected—no matter how fast you grow.
Scrut automates the hard parts of compliance and security so you can move fast and stay ahead of risks from day one.
The Scrut Platform helps you move fast, stay compliant, and build securely from the start.
Growth in fintech comes with heavy scrutiny. Scrut helps you stay compliant, audit-ready, and secure—without slowing down your momentum.
