No. of Recommendations: 14
This is a board about US policy issues.
Here's one I think we should all be able to agree upon, regardless of political affiliation.
AT&T announced a massive data breach on March 30, 2024.
https://www.washingtonpost.com/business/2024/03/31...In a Saturday announcement addressing the data breach, AT&T said that a dataset found on the “dark web” contains information including some Social Security numbers and passcodes for about 7.6 million current account holders and 65.4 million former account holders.Sounds disastrous, right? It's worse. First of all, note that they released their statement on the Saturday before Easter Sunday, not exactly a point in the weekly news calendar that's going to gain much attention. So when did the breach occur? A week prior? A month prior? A couple of months prior?
Nope. AT&T is vague about the actual date of the breach and claims to be unable to confirm if the data actually leaked from its internal systems or from the systems of one of its vendors. Other security experts believe the data referenced in AT&T's 2024 notification is actually related to data from AT&T that appeared on dark web sites in 2021. AT&T refused to acknowledge that breach at the time which means it did not notify customers whose data was present in those dumps back in 2021. That means hackers have had a three year head start attempting to leverage that data for credit card fraud, identify theft, etc. without customers being able to proactively obtain protection or take measures to change passwords, etc.
If you are familiar with the law in this area, you are aware that entities are required to provide notifications to customers anytime confidential account information, financial information, SSNs, login identities or login passwords/PINs are compromised. Failure to do so triggers stiff penalties, not to mention the likelihood of lawsuits from affected customers. Why didn't AT&T notify its customers in 2021? AT&T felt that since the data was only available on the "dark web" and access was restricted by a "pay wall", that data exposure didn't count as a breach.
THE POINT...
So why does AT&T or any other corporation have the social security number of tens of millions of Americans?
In the old days prior to the Internet and online automatic bill payments, companies like utilities offering continuous service used SSNs to conduct credit checks on new customers as they connected to identify customers with prior unpaid bills owed to the company or general credit issues for non-payment. Imagine Herman Munster last had AT&T service at 1313 Mockingbird Lane and moved out of that house leaving an unpaid balance of $97.00 eighteen months ago. Now Herman is moving into a different address at 2112 Rush St. and is attempting to connect AT&T phone/DSL service. By collecting SSN for new customers, companies could correlate prior account histories and non-payment problems with new connect orders and trigger processes that could force collection of the past-due balance, require increased deposit fees for bad credit or deny the new connect order entirely.
This made perfect sense in the "olden days" prior to online account portals supporting credit card payments and auto-pay mechanisms. In a world where such payment conveniences are available -- and many service providers REQUIRE auto-payment via credit card -- these old mechanisms and the SSN data they leverage should not be required for ANY corporation. It's bad enough customers are giving them credit card information which many companies fail to utilize and protect correctly with processes called tokenization. But to still be required to provide SSN to obtain internet, cable, electric or gas service? That's insane. If I'm willing to give you my credit card but unwilling to give you my SSN, then here's the deal... If you ever encounter a failure processing my credit card payment, you have one day to notify me electronically to pay up or suspend my service. If I value my SSN security more than a potential service interruption from a payment glitch, I should be able to make that bargan with a provider. For providers like electric, gas and water companies that have physical work to perform in the field to suspend service, they can collect an average month's bill amount as a deposit on the credit card at time of connect as a buffer to cover that cost. Currently today, some utilities will NOT process new connect orders without an SSN.
Congress needs to enact new legislation BANNING use of SSN as any form of identification except for EMPLOYERS who have to handle payroll deductions for taxes and BANKS needing a key to unify financial records for lending decisions and tax payments from banking accounts. There is ZERO other need for other corporations to be collecting and housing SSNs. And corporations have proven repeatedly they cannot be trusted to protect that information.
Related to this direct ban on use of SSN, this problem is an example of the security risk of corporations hording YEARS (DECADES?) of data for data mining purposes rather than discarding data. In this AT&T breach, 7.6 million records were tied to current customers but 65 million were associated with FORMER customers. If I haven't done business with a company in X years, companies should face steep financial penalties if they choose to keep that data for their own selfish data mining reasons then fail to protect it. A few states have laws like California's CCPA (California Consumer Protection Act) which give the customers the right to a) demand to SEE what information a company is retaining on them (either as an active or former customer) and b) demand that the company PURGE such data upon request, except data required by the company to comply with regulatory requirements. Such laws should be enacted at the federal level and switch the logic to default to requiring companies to DELETE former customer data after some maximum post-disconnect interval (say 1-2 years). I should NOT have to worry what AT&T is going to do with my data when I haven't been their customer for seven years.
WTH
