In early July 2024, telecommunications company AT&T disclosed in an SEC filing that hackers had stolen nearly all records of customer calls and texts between May 1 and October 31, 2022, as well as data from a single day in January 2023, which led to a $13 million settlement with the Federal Communications Commission (FCC). 

The content of these communications wasn’t compromised, but the breach exposed metadata that can provide a revealing picture of a customer’s activities. 

These records show the frequency and timing of everyone with whom a person communicated using phone calls or short message service (SMS). As two U.S. Senators noted, “The stolen information can easily provide cybercriminals, spies, and stalkers a logbook of the communications and activities of AT&T customers over several months, including where those customers live and traveled — a stunning and dangerous breach of its customers’ privacy and intrusion into their personal lives.”

While AT&T is a large publicly-traded company, many cybersecurity lessons are apparent in the aftermath of the breach. Here are some key points for the mid-market:

Data retention requires a balance

AT&T reportedly retains call records for 5-7 years. These records, which amount to billions of entries, can support critical business functions such as:

• Training artificial intelligence models
• Adjusting pricing and packaging
• Making sales to third parties

With that said, the retention, analysis, and sale of this information has substantial privacy implications.

On top of those, however, there is also the more basic cybersecurity problem that retaining data for longer periods of time necessarily increases your risk. As we’ve written before, it is simply impossible to steal data that a company doesn’t have.

SMBs here should take a lesson from this incident to review things like how:

• Much information they collect from leads and customers
• Long they keep it, and how they protect it
• They ensure it’s destroyed

And interestingly enough, because AT&T only keeps the contents of text messages for 90 days, this may have prevented the attackers from stealing them.

Regulators are getting involved in data breaches and their fallout

AT&T was required to disclose the breach within four business days of determining that it was “material” under recently implemented Securities and Exchange Commission (SEC) regulations.  

The company discovered the breach earlier in 2024, but delayed public notification to avoid posing a potential risk to national security and public safety, as noted by the U.S. Department of Justice.

While larger companies have entire teams designed to navigate these compliance requirements, smaller companies are usually not as lucky. This doesn’t mean the government is ignoring them. In 2022, the Federal Trade Commission (FTC) fined the company Drizzly and sanctioned its CEO in his personal capacity following a data breach. The FTC alleged the company:

• Failed to implement basic security measures
• Stored login credentials using GitHub
• Didn’t monitor for threats

Mid-market companies should take note of these incidents and ensure they have effective and actionable:

• Security policies and risk management programs
• Employee training and awareness plans
• Cybersecurity controls

Consider using encrypted messenger applications that don’t retain metadata

One group of people who weren’t impacted (or suffered less) from the AT&T hack were those who use “over-the-top” messaging applications like iMessage or Signal. Both of these tools apply end-to-end encryption, making it extremely difficult for any third party to read the content of the messages.

iMessages, however, do leave a trail of metadata that can be hacked or subpoenaed. This isn’t a concern for most people at first glance. But this type of information can reveal business-critical information such as:

• Messages between executives at different companies during mergers and acquisitions.
• Negotiations with a prominent CEO who plans to take charge of the business.
• Contact with regulators or members of the media prior to a major event.

Thus, security-conscious firms might especially consider using Signal. Maintained by a nonprofit organization, the Signal messenger app encrypts even the metadata of user communications. This would make its users even more resistant to attacks like what AT&T faced.

Conclusion

2024 has witnessed a series of enormous breaches hitting companies. Change Healthcare and AT&T are merely the most prominent names to wind up in the news. 

While eliminating risk is impossible, mid-market companies can do so effectively. And they can do so in an economical way that supports business operations. Simple measures can substantially reduce your risk, including:

• Tracking and managing risks in a single register
• Automatically tracking SaaS integrations
• Monitoring cloud security
• Training employees

The good news is that the Scrut platform is designed to help do just this for mid-market companies. We give you the tools and expertise necessary to keep your data secure, protect your customers, and get on with your business.

Want to learn more? Book a demo now!