Personal information of 7.6 million AT&T customers and of 65 million former AT&T customers have appeared on the dark web in the last two weeks. Stuff happens, even egregiously bad stuff. What makes this stuff especially egregiously bad, though, is AT&T‘s claim that the data appear[] to have come from 2019 or earlier.

That especially bad status flows from some questions:

Why wasn’t the data breach discovered those 5 or more years earlier; why did AT&T not know of the breach of its own systems until they saw the results of the breach just recently?

If AT&T did know of the breach those years ago, why did they sit on the information all this time?

If AT&T did discover the data breach promptly, and the data that appeared on the dark web only happened to be from 2019 and prior, what were the safe guards in place—or not—for what would have been archived data? What are the safeguards for data from 5 years ago through to the present? How does AT&T know those data haven’t been penetrated and stolen, also?