ADT says customer data stolen in cyber intrusion

47 points by PaulHoule 2 days ago | 21 comments

gnabgib 2 days ago |
Again sigh
2024 Home security giant ADT says it was hacked (34 points, 14 comments) https://news.ycombinator.com/item?id=41193157
2021 Home Security Tech Hacked into Cameras to Watch People Undressing and Having Sex (32 points, 6 comments) https://news.ycombinator.com/item?id=25876366
2015 How to Hack an ADT Alarm System (78 points, 68 comments) https://news.ycombinator.com/item?id=8947172
SilverElfin 2 days ago |
There’s no real consequence for security breaches. No fine. No reimbursement to the victims. No jail time for the CEO and board.
ranger_danger 2 days ago |
Are there real consequences in any country?
smcin 2 days ago |
Yes. The 2018-9 breach and cyberextortion involving Finland's mental-health startup Vastaamo.
- CEO Ville Tapio was convicted criminally under the GDPR.
- The company failed in 2021.
- Finland's NBI tightened criminal code on privacy violations of data subjects, either intentionally or through gross negligence, if they cause damage or significant inconvenience to the data subject.
https://news.ycombinator.com/item?id=40210873
dylan604 2 days ago |
But now that it has happened once, will they ever do it again? A lot of innocent people lost their jobs because of not fault of their own. I'm putting this in the context of the NCAA punishment given to SMU frequently referred to as the death penalty. The NCAA has since said they would not do that again as there was a lot of unanticipated collateral damage from that punishment decision
applfanboysbgon 2 days ago |
> The Helsinki Court of Appeal has overturned the criminal conviction of Ville Tapio, the former CEO of psychotherapy provider Vastaamo, in a case linked to one of Finland’s most serious data breaches. The court ruled on Thursday that Tapio was not criminally liable for alleged data protection failures related to the unauthorised access and publication of tens of thousands of patients’ sensitive information. Tapio had previously received a three-month suspended prison sentence from the District Court of Helsinki in spring 2023.
No prison time, and the conviction was overturned. Your post rather got my hopes up when it suggested that a CEO faced consequences...
smcin 2 days ago |
They did: the Finnish CEO was criminally charged and convicted (under GDPR); that never happens in the US. (I wasn't aware it was overturned on appeal in 12/2025, neither is Wikipedia currently).
They did face consequences. That ex-CEO (and CTO) also essentially had their reputations shredded, and their behavior was publicly scrutinized (have you ever seen the Comcast CEO grilled by Congress? I haven't). Sure, it would be better if they had actually gone to prison. But my point is GDPR has teeth, unlike US state digital privacy laws.
applfanboysbgon 2 days ago |
> have you ever seen the Comcast CEO grilled by Congress?
I seem to recall some media circuses here and there about CEOs being subpoenad by Congress, for example Zuckerberg. I don't really consider that a consequence in any meaningful sense.
Apparently the appeals court also released the hacker, even though his extortion led directly to the suicide of two people, and damage to thousands of others. Maybe the GDPR was meant to have teeth, but I can't help but wonder if the Helsinki Court of Appeals is for sale.
ryanlol 2 days ago |
> Apparently the appeals court also released the hacker
The court of appeals found me guilty, despite the evidence clearly not supporting that conclusion.
I rather doubt it's because they're for sale, rather it would have been too damaging for the government to admit that they had framed me.
smcin 2 days ago |
I share your outrage about companies abusing users' data, but we're mixing up several different things:
- the Vastaamo ex-CEO was in fact criminally tried and convicted (even if that conviction was overturned on eventual appeal) and had his reputation destroyed. That compares well for GDPR vs US state privacy laws, which is what I was saying to you. That was my point by saying the US Comcast CEO hasn't been grilled by Congress on those (he has on media mergers, but not his company's business practices). I'm agreeing with you that Congressional grillings aren't consequences in any meaningful sense.
- the Vastaamo hacker was not charged under GDPR, they were charged with criminal offenses: aggravated data breach, aggravated attempted extortion, aggravated distribution of information infringing private life, blackmail, breach of confidentiality and falsification of evidence.
- I was not aware the Vastaamo hacker had been freed after serving part of his sentence (although his conviction was not overturned), but it seems [0] it might have been for implicating other people in the cyberextortion/ransomware ring. And since those people were operating in countries without much rule of law, we'd expect actions were taken that didn't involved courts or journalists. I can't find any press coverage of that part.
[0]: https://www.bitdefender.com/en-us/blog/hotforsecurity/vastaa...
smcin 14 hours ago |
Ok, with the current huge Canvas breach 5/1/2026 [0], you're going to be able to compare the responses from Canvas, education systems and individual colleges across US, Canada, Australia, UK, Sweden, etc. Specifically, what, if anything, do Canvas or the colleges disclose about the breach (which users were affected, and how severely), and how soon? And then subsequently you'll see govt inquiries, and there will be cyberinsurance claims. So you'll be able to compare the effectiveness of privacy laws of each jurisdiction.
[0]: https://news.ycombinator.com/item?id=48055913#48059071
buccal 2 days ago |
In EU:
Violators of GDPR (personal data) may be fined up to €20 million, or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater.
Under NIS2 (cybersecurity), financial penalties may be up to either €10 million or 2% of the global yearly revenue, again, whichever is the greater amount.
blitzar 2 days ago |
That helthcare CEO in NY comes to mind.
jwsteigerwalt 2 days ago |
It’s an overstatement to call the 2021 incident a “hack”.
readthenotes1 2 days ago |
If we want to use the word hack as a general term to describe the exploitation of notoriously weak security, then it's appropriate...
walletdrainer 2 days ago |
What about this one https://www.exploit-db.com/ezines/kr5hou2zh4qtebqk.onion/GoD...?
hbcondo714 2 days ago |
This article is from a couple weeks ago, the same day ADT submitted "Other Information" to the SEC about unauthorized access:
https://www.sec.gov/Archives/edgar/data/1703056/000170305626...
ButlerianJihad 2 days ago |
ADT is the company that sells signs you put in your front yard to make burglars consider robbing your neighbors instead, right?
kotaKat a day ago |
Don't forget the predatory door-to-door salesman implying you're going to get your house shot up and robbed tonight if you don't sign up now.
The only difference is instead of being robbed one time, you get robbed monthly for an overpriced three to six year commitment.
bu110nab3nd3r a day ago |
ADT is a scam. You pay 2k for $50 in stickers and yard signs, they sell your data to brokers aka intel agencies, and their service still sucks. You can jam their RF door and window sensors with trivial RF tools. They have most people opt in to let them access your cams “for security” reasons, and then they exfil your behavior profiles piped via cellular regardless of your settings.
vaadu a day ago |
"An investigation into the incident found the stolen information ranged from names, phone numbers, addresses and dates of birth to the last four digits of Social Security numbers and tax IDs."
Why should any company have your SSN or tax ID unless explicitly required by law? A credit check is one thing, but afterward they must delete the entire SSN and the credit report — as if they never possessed it.
Businesses required to keep it for tax/financial reporting (e.g., banks) should be banned from using it for any verification or identification purposes.