AT&T Faces Data Breach: A Closer Look at Third-Party Risk Management

Recently, AT&T issued a concise statement, spanning 183 words, acknowledging a data breach. The breach exposed 65 million records containing sensitive personal information. You can find the statement on AT&T’s website: AT&T Addresses Recent Data Set Released on the Dark Web (att.com).

As a risk manager, two phrases caught my attention:

1. “…it is not yet known whether the data in those fields originated from AT&T or one of its vendors.”

2. “…AT&T does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set.”

These statements raise critical questions about AT&T’s internal risk management processes. How can a company of AT&T’s stature be uncertain about the origin of its data or who has access to it? Let’s delve deeper.

If we rely on AT&T for business services and our data was part of this breach, it’s easy to point fingers at them. However, perhaps we should also turn our gaze inward. Have we assessed our own risk management practices?

Consider the following:

1. Third-Party Assessment: Did your business evaluate how AT&T utilizes third parties? Where are these third parties located? What background checks do they undergo, and how often are they rechecked?
2. Security Tools: Does AT&T employ robust Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA) tools? Shouldn’t alerts be triggered when an employee attempts to download 73 million names?
3. Encryption and Key Management: How does AT&T handle encryption at rest and key management?  I would expect that customer data is stored in an encrypted manner.

Now, let’s reflect on our own practices. Do we require similar risk controls in our contracts with customers and vendors? Internally, are we aligned with best practices?  In the wake of this breach, let’s not only scrutinize external entities but also fortify our internal defenses.

Don’t fret if your answer is a resounding “no.” Most companies find themselves inadequately staffed for the rigorous review and management of risks. However, the rapid advancement of AI technology should inspire confidence that robust risk management processes are now within reach.

But here’s the catch: it’s not a solitary AI entity, like ChatGPT, that can accomplish this feat. Rather, it requires a harmonious blend of Artificial Intelligence components, orchestrated seamlessly alongside compliance documents, human expertise, risk systems, ticketing mechanisms, and messaging platforms. Together, they form a cohesive ecosystem capable of swiftly and transparently evaluating assessments, validating contracts for risk controls, and providing contextual explanations to relevant stakeholders.

Consider AT&T—a prominent name on the list of companies that have weathered massive data breaches, alongside Capital One, Home Depot, Target, Marriott, Change Healthcare, Alibaba, Yahoo!, LinkedIn, United Healthcare, Facebook, Experian, Adobe (and many more). As we reflect on these incidents, let’s also contemplate how risk management can evolve to prevent such breaches and safeguard both individuals and organizations.  Most companies have a similar breach response playbook.  Patch the hole and buy identity protection for the impacted. How many free identity protection services does one truly need? While they offer a safety net and demonstrate that the breached party ‘did something’, they may not suffice when a malevolent actor wields your social security number and health care information to secure a mortgage on your house or open credit cards in your name when they see you are diagnosed with grave diseases or are in debilitating accidents. We would be better off if the breach did not happen in the first place.  The stakes are high, and risk management must adapt.

Enter AI-driven process orchestration. By breaking down cost and talent barriers, it empowers risk managers to operate more efficiently. Imagine the relief of not needing an army of 85 spreadsheet-reviewing personnel. Fear not—the rise of AI won’t replace your role; instead, it will elevate you to risk management superhero status, allowing you to focus on safeguarding your company.

Embrace the synergy of outcome based, AI powered process orchestration—it’s the path to a resilient and secure future.