While the document clearly states they received information they didn't request it also states they used said information. While it may be added time and labor NSA should be validating the information as a check and balance as this is a unique position for the carrier to be in. NSA trusts whatever they give them. Or... NSA has influence over individual(s) with carrier X to, whoops, accidentally send you everything. To be clear I'm not saying that is what happened, but it's a broken process on both sides of the coin.
The document also states they acknowledged that they have ingested data they shouldn't and don't have a timeline on when, if ever, they'll purge it. Apparently the purge process has begun, but the not having a timeline to remove seems to read "best effort, if we don't get it all oh well". The real response should be: we received tainted data and are required to remove it all for that timeframe and rerequest all of it within N days. If you're Equifax and accidentally send out everyone's SSN to someone requesting their credit history you don't just use an excuse that you don't know how to remove it. You're obliged to remove it all. There doesn't seem to be a process in place for this. Convenient oversight.
The document also states they acknowledged that they have ingested data they shouldn't and don't have a timeline on when, if ever, they'll purge it. Apparently the purge process has begun, but the not having a timeline to remove seems to read "best effort, if we don't get it all oh well". The real response should be: we received tainted data and are required to remove it all for that timeframe and rerequest all of it within N days. If you're Equifax and accidentally send out everyone's SSN to someone requesting their credit history you don't just use an excuse that you don't know how to remove it. You're obliged to remove it all. There doesn't seem to be a process in place for this. Convenient oversight.