Why Corporations Fail to Protect Our Data

Almost nine years ago, when both T-Mobile and Experian were hacked, I wrote an article for The New Yorker. I argued that the companies wouldn’t learn anything from the mess created by these data and privacy breaches. As a result, we, the citizens, are now simply Data Piñatas.

Consumers have become data piñatas – hacked, tracked and abused by everyone from hackers, governments, and worse of them all, apathy on part of legislators and their corporate overlords. 

I was reminded of that article, mostly because I was catching up with the news of another data breach. AT&T very reluctantly admitted that it was hacked in 2021, and millions were impacted. 

It finally took action only after being contacted by a reporter from TechCrunch, a technology publication. TechCrunch reported that the company wouldn’t even admit that there was a data spill.

The hack is so vast that personal data, including dates of birth, social security numbers, and other details of over 72 million people — 7.6 million current AT&T account holders and approximately 65.4 million former account holders — have been leaked. I was an AT&T customer once, so it’s pretty likely I was impacted as well. So far, AT&T has not been in touch. 

These guys get in touch when you are late with your payment — but not when they can’t do their job. My initial reaction to the news was the all-too-familiar rage, and the all-too-often repeated four-letter words. AT&T wants you to sign up and get free monitoring from one of the three credit bureaus — which have been hacked at some point.

This is no different from what T-Mobile did when it was hacked. The problem with such actions is that it leads to nowhere — placing the entire responsibility on the citizen, who is left dealing with the mess created by large corporations through no fault of their own. None of this should surprise anyone. As I pointed out in my piece for The New Yorker:

By now, we’re familiar with this pattern: a company discloses a data theft, executives express grave concern, and customers are left to reset their passwords and sign up for free data protection, feeling all the while like data piñatas.

An offer of a credit-watching service in the wake of a hack is sort of like getting an alert after a fire has burned down your house. Brian Krebs, of Krebs on Security, wrote, “Identity protection services like those offered by CSID, Experian and others do little to block identity theft: The most you can hope for from these services is that they will notify you after crooks have opened a new line of credit in your name. Where these services do excel is in helping with the time-consuming and expensive process of cleaning up your credit report with the major credit reporting agencies.”

Companies that fail to secure customer data are able to do so in part because they know that the penalties are generally low; they can continue to make money while being protected by the sluggishness of legislative bodies. Though the F.T.C. and F.C.C. can investigate and punish some data-security breakdowns, and nearly every state has some form of notification law in place in the event of data theft, these patchwork measures have proved unable to slow the pace of breaches.

Systems that genuinely protect data do exist, but more often than not companies have not made upgrades to their hardware and software infrastructures that would allow them to prevent breaches, detect them when they occur, and limit damage.

T-Mobile paid $350 million in fines for the data breach that impacted 77 million people — $4.50 per customer. Experian paid $700 million. Roughly twice as much. That is what our data and privacy are worth! Even Facebook values you more than just $4.50!

It is no wonder why companies like AT&T don’t give a shit when it comes to security, privacy, and our data. Don’t expect government officials or politicians to do anything — they have been influenced by the telecoms like AT&T, Verizon, and T-Mobile. 

March 31, 2024. San Francisco