> Totally, way too many people are trying to blame snowflake.

Well the _actual_ compromise started from one of their employees, so it's pretty unsurprising that they're getting (some of) the blame.

Ahh. The linked article didn't have that detail.

They attributed it to a lack of 2FA

AT&T and phone carriers in general are not technology companies. They are infrastructure companies that purchase off-the-shelf communication technology, slap a billing system on top, and then spend most of their time on operations (finding places to put towers, keeping the gear up and running) and marketing. The security component of communications isn't built by them, but by the equipment manufacturers that they purchase from. There are no strong penalties for involuntary data leaks - why would they do more?

ATT has a rich history of being a technology company. They invented UNIX! That's in the past, fair enough.

So they used to develop cutting edge technology, they sell technology, they buy technology, they operate technology, they work with manufacturers to develop new technology, they operate the infrastructure underpinning the modern technology economy, but they aren't a technology company?

Even if you want to argue that they aren't a technology company, they sure spend enough time doing everything a technology company does to hold them accountable for their technology failures.

> They invented UNIX!

They also invented the transistor, C, the photovoltaic cell, radio astronomy, and … the telephone. ;)

Yes that’s the past, but AT&T labs still employs almost two thousand people. It’s very funny to try to claim AT&T isn’t a technology company and only peddles services on top of equipment made by others.

The company called AT&T now and the company called AT&T that invented Unix have really nothing in common but a thin stretch of history by now. The technology development units of AT&T were split off into Lucent a long time ago.

Calling AT&T a tech company because they operate technological infrastructure is like calling Spirit Airlines an aerospace technology company because they operate jet airplanes.

> The security component of communications isn’t built by them

Are you claiming AT&T outsourced security and have contracts to back that up? Buying security equipment surely doesn’t amount to having security, that would be hilariously naïve. Equipment manufactures are not responsible for AT&T’s data security, AT&T is. There are laws around security that can hold AT&T liable, in the US and Europe and elsewhere. Whether they will hold the company liable is another question, but these laws will not accept an excuse that AT&T purchased security equipment from another company.

I claim that these companies do not have a particularly high amount of in-house infosec know-how and outsource a lot of it, not necessarily just in terms of buying equipment, but also the service component of how to set up business practices in a secure way. It doesn't absolve them of their failures but I'm no less surprised in AT&T failing to protect data than I would be McDonald's.

It’s unclear what you’re arguing. That AT&T isn’t capable of securing customer data, and we shouldn’t expect that of them? That they shouldn’t be held liable?

If they don’t have the core competency, they need to obtain it as a requirement of doing business.

AT&T is a real-estate company that coincidentally sells telecommunications services. My wife used to work for them and given what she's told me I would never in a million years do any business with them intentionally.