Tamara Chuang | Business/Technology Reporter
As word spread last weekend that the personal data of 73 million current and former AT&T customers was discovered on the uncensored dark web, AT&T provided the usual advice to customers: Reset your four-digit passcode, monitor accounts and set up fraud alerts. The company also offered courtesy ID theft and credit monitoring to those directly impacted.
But the data discovered — Social Security numbers, dates of birth, names, emails and account numbers — didn’t appear to be from a new breach. It was from “2019 or earlier,” according to AT&T’s notice, and impacted 7.6 million current customers and 65.4 million former customers.
Data breaches have been so frequent in the past two decades there’s a good chance everyone reading this is a victim. As they say in the industry, there are two types of people: those who’ve been hacked and those who don’t know they’ve been hacked (modified from likely originator FBI Director Robert S. Mueller in 2012).
It may feel like there’s only so much consumers can do, especially for those who’ve been overprotective of their digital data for years. But vigilance is more important than ever, said Robb Reck, chief trust and security officer at cloud marketplace Pax8 in Denver and cofounder of cybersecurity podcast Colorado=Security.
“I no longer spend much time worrying about any particular breach notification,” Reck said in an email, “and instead ensure that I’m focused on using a password manager for all of my logins, turning on MFA for every site I care about, and carefully monitoring any changes to my (and my family’s) credit report.”
MFA, or multifactor authentication, requires more than one way for people to verify their identities at login. Typically, one is a password, while the other may be a code shared by text message, an authenticator app or security key fob.
Don’t be the low hanging fruit
“You can do everything right and still become a victim,” said Eva Velasquez, CEO of the Identity Theft Resource Center in San Diego County, which tracks data breaches and assists victims. “But you can make yourself safer. Don’t be that low-hanging fruit.”
According to the ITRC’s annual report, publicly reported data compromises reached an all-time high in 2023, coming in at 3,205. The victim count was around 353 million accounts, down 16.4% from 2022. Last year, T-Mobile took the top spot with two compromises impacting 37 million people last year. Comcast’s Xfinity had the second highest, at 35.9 million customers.
But even with all the data breaches and exposed credentials, many people have terrible security hygiene. A survey of about 9,500 consumers by Denver-based Ping Identity found that 72% use three unique passwords for multiple sites while 12% use the same password for everything. More than half rely on their memory to remember passwords but also feel they have too many passwords to keep track of.
If passwords are part of a data breach, it wouldn’t take a clever criminal to mix and match user data lifted from other hacks to figure out who’s using the same passwords. Velasquez recommends passwords that are a phrase with a mix of characters. A password manager can also be a big help.
Security in layers: Not all data is created equal
Last September, a cybercriminal gang convinced a tech support worker at MGM Resorts that they were an employee who had forgotten their password. They provided the necessary personal information possibly stolen from old hacks. They were verified over the phone and got into the system, according to a Wall Street Journal story titled “The audacious MGM hack that brought chaos to Las Vegas.”
It’s unclear if the social-engineering hackers used data like birth dates or Social Security Numbers to dupe the employee, but when companies rely only on static data to verify users, that’s a problem.
“It’s about supplementing static data with other things. It’s all about layers,” Velasquez said. “And we have to devalue the data. We have to implement new authentication and verification that devalues this static data.”
And the cycle keeps going, said Gadalia Montoya Weinberg O’Bryan, CEO and founder of Dapple Security in Centennial. Hackers take advantage of this moment in time.
“I’d be willing to bet that emails and text messages are being sent to folks right now just saying things like, ‘This is AT&T, we need you to change your password. Click here,’ that are completely fake but taking advantage of the timing makes it seem believable,” O’Bryan said. “These are the moments you have to be particularly vigilant.”
Many agree that the onus should be on the companies. Companies could stop asking for Social Security numbers, birth dates or a mother’s maiden name to verify a customer’s identity. And when they no longer need a user’s data, they should delete it, which is required by Colorado law. The state also has the Colorado Consumer Privacy Act, passed in 2021, to return control of a person’s personal data to the individual. It’s been in effect since July.
“I also do not like the fact that consumers get blamed for these situations. Like, ‘Oh you shouldn’t be using a weak password,” O’Bryan said. “My hackles come up at this concept of blaming the consumer for the breach they were involved in. And they unfortunately are the ones who are going to have to deal with it in perpetuity. I think companies really need to take more responsibility.”
Passkeys proliferate
O’Bryan’s company, Dapple Security, is developing a tool that uses biometrics and the newer passkeys to cut down on phishing. And that’s better than MFA, she said, because traditional multifactor authentication can backfire since MFA still requires two sides knowing the same thing — a “shared secret” — which leaves room for someone to snipe that secret.
“Unfortunately, most MFA is really not that much more secure than a password, if at all more secure,” she said. “It gives a little bit of a false sense of security, unless you’re using these more modern passkey-based multifactor.”
O’Bryan, who previously worked as a crypto mathematician at the National Security Agency, is developing biometric technology that would never be stored on some company’s server.
It would work alongside passkeys, a passwordless login technology that started popping up last year. These cryptographic digital keys are stored on user devices and aren’t shared with websites. Instead, a second key is created for websites. The only way to login is for the keys to meet. The user’s secret key is never shared nor stored on websites so nothing can be stolen. And if users get tricked into clicking a link to a fake site, their passkey won’t work. (Password manager Dashlane has a good explainer on how passkeys work.)
Of course, this doesn’t help the personal data already out there. But users should always pay attention to hacks involving their personal data or others. A good site to check if your credentials have been discovered in a breach is “Have I been pwned?” a long-running site set up by an information security professional as a service to consumers.
“Protective measures are really all you can do at this point for stuff that is already out there. There’s really no reliable way to delete it from the dark web,” O’Bryan said. “I have teenagers now and this is something I’m trying to ingrain in them. Any information that you give to anyone or put on the internet, you’d better assume that that is permanent and that someday, it will become public. Going forward, I do hope we can have better technology solutions and policies to not even store or gather that sensitive data in the first place.”
A few tips worth sharing
➔ How to find out if your data was part of the AT&T breach? You’ll get a letter or email from AT&T. The company is notifying individuals directly who have had sensitive personal information compromised. All current customers also received a passcode reset email. >> More details
➔ Tax time security tip. The IRS provides an Identity Protection Pin, a six-digit number to stop someone else from filing a tax return using your Social Security number or Taxpayer Identification Number. >> Get an IP PIN
//
HELP US REPORT: Voters are at the heart of every election. We want to know what issues most matter to you. Your hopes and concerns will set the agenda for how we report and write about the issues — and the stakes — of the 2024 election.
Please take a few moments to tell us what you think candidates should be talking about as they compete for your vote. We will use your contact information only to reach out if a reporter wants to better understand your comments. If you chose to remain anonymous, your name will not appear in any story. >> TAKE THE SURVEY
//
Sun economy stories you may have missed
➔ Cherish that hamburger. It cost a quarter of the Colorado River, according to researchers. The Colorado River has been overused for decades, but no one has known exactly how the water was used — until a team of researchers compiled the most complete accounting of the river’s water. >> Read story
➔ Colorado Democrats say property tax relief is coming. There’s no money in the state budget to pay for it. Last year, state lawmakers budgeted $200 million to cover the cost of statewide property cuts. Colorado’s budget proposal for the 2024-25 fiscal year has no such money set aside. >> Read story
➔ Denver nonprofit Urban Peak embroiled in wage dispute as it completes four-story youth homeless shelter. Emails about the construction project reveal confusion and miscommunication between city departments about wage requirements. >> Read story
➔ The $1.3 billion-plus problem: Explaining medical debt in Colorado using seven charts. Likely more than 1 million people in Colorado have some form of medical debt. These seven charts explain who they are, how much they owe and where they live. >> Read story
➔ Colorado business leaders are neutral about the economy — the best they’ve felt in two years. The latest CU business survey has local business leaders feeling better about their profits and sales than in mid-2022. But slowing job growth and the election kept their outlook uncertain. >> Read story
➔ If downtown Denver building owners convert empty offices to residential, will people move in? The city of Denver is all in for converting underutilized offices into apartments. There’s also a proposal to provide $5 million at the state level. But high costs and ill-suited buildings could foil plans. >> Read story
➔ Denver to Istanbul flights on Turkish Airlines begin June 11. More international routes are in the hopper. At 6,130 miles, the flight will be the longest to and from the Mile High City. >> Read story
Help grow What’s Working Sign up for the free newsletter!
Other working bits
➔ Colorado Starbucks: Win one, lose one. Workers at the Starbucks store at 17th and Hoover in Longmont voted to unionize last week with a 15-4 vote, according to National Labor Relations Board results. That makes the store the 11th Starbucks in Colorado to hold a successful election. But in the same week, employees at the Lakewood Starbucks on Jewell and Wadsworth voted against unionizing, with 12 against and seven in favor. In December, Starbucks suggested a path forward to complete contract negotiations this year and in February, Workers United, which represents more than 400 stores, agreed. Getting a contract has proved to be a challenge for all newly formed unions in Colorado. >> Read earlier story
➔ Remove emotional distress cap and expect a $2.1 billion loss, says business group. Colorado caps personal injury jury awards at $729,790 while the medical malpractice cap is $300,000. That resulted in cases like a man who was injured while working on a fracking site in northern Colorado to lose half of the $30 million he won in federal court, according to a CBS report. So, Coloradans for Accountability want to remove the cap and proposed Initiative 150 for the state ballot to let voters decide. The Colorado Chamber of Commerce and the American Property Casualty Insurance Association studied the impact and concluded in a new report that by removing the cap on these “noneconomic damages,” the costs could soar, resulting in a $2.1 billion annual loss to the state’s GDP plus 15,000 jobs. >> Read the Chamber’s report
➔ They came, they saw, they feasted 144,650 times. That’s how many meals were served during Denver Restaurant Week last month, according to Visit Denver. Diners spent $10.5 million at participating restaurants. That’s more than the 1110,000 meals and $4.5 million in sales last year, according to a Denver Gazette report and confirmed by Visit Denver spokeswoman Abby Schirmacher. She said it’s tough to compare results from prior years because prices have changed, from $52.80 for two people back in 2005 to this year’s range of $25 to $55 per person. “However, we know this was certainly one of our strongest years and definitely the biggest since the pandemic,” she said. >> Reminisce about 2024 menus
➔ How to sell, ship and expand online. A free training session sponsored by UPS and U.S. Commercial Services is open to small businesses hoping to expand their business through ecommerce and exports. Hosted by the Denver World Trade Center on April 10, the morning program will touch on topics like APIs, logistics and government support. >> Details and registration
Thanks for sticking with me for this week’s report. Remember to check out The Sun’s daily coverage online. As always, share your 2 cents on how the economy is keeping you down or helping you up at cosun.co/heyww. ~ tamara
Miss a column? Catch up:
What’s Working is a Colorado Sun column about surviving in today’s economy. Email tamara@coloradosun.com with stories, tips or questions. Read the archive, ask a question at cosun.co/heyww and don’t miss the next one by signing up at coloradosun.com/getww.
Support this free newsletter and become a Colorado Sun member: coloradosun.com/join