AT&T said Friday that criminals stole phone and text records from “nearly all” of its 2022 wireless customers in a mammoth data breach that extends to those they texted and called.
But the content of the communications was not revealed and it’s not believed the data has been made public. The telecom giant said it will notify current and former customers if their information was included. The breach also impacts other cellular brands that use AT&T’s networks.
Notice of the illegal data download was filed Friday with the U.S. Securities and Exchange Commission.
What was taken in data breach?
According to AT&T, “We learned that AT&T customer data was illegally downloaded from our workspace on a third-party cloud platform” back in April. The company said it hired cybersecurity experts to investigate the breach and that the access point is now secure.
The download included phone call and text message records of AT&T cellular customers from May through October 2022 and also some from Jan. 2, 2023 — along with other phone numbers with which the affected customers, including those with landlines, interacted. Cell tower locations were included, as well, in some cases, per AT&T. That could be used to identify neighborhoods connected to phone numbers.
AT&T said it put off notifying the public about the illegal data download because the U.S. Justice Department and FBI felt delay was warranted.
“In assessing the nature of the breach, all parties discussed a potential delay to public reporting … due to potential risks to national security and/or public safety,” the FBI said in a statement quoted by CNN. “AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.”
At least one suspect has been arrested, per AT&T.
“Names and personal information such as Social Security numbers or credit card numbers weren’t compromised, but the carrier warned that cellphone numbers can easily be connected to names through online tools,” per The Washington Post.
Not AT&T’s first big data breach
It was the second big leak for the company in as many months. In March, AT&T reported that a breach that included customers’ Social Security numbers had been leaked to the dark web. The company said that breach, involving data from 73 million current and former customers, might have originated with AT&T or one of its vendors, as CNN reported.
According to The Hill, Sen. Ron Wyden, D-Ore., said the Federal Communications Commission should penalize phone carriers for not protecting consumer data better.
“This is not the first data breach revealed by a major phone company and it won’t be the last,” Wyden said in a statement. “These hacks, which are almost always the result of inadequate cybersecurity, won’t end until the FCC starts holding the carriers accountable for their negligence. These companies will keep shortchanging customer security until it hits them in the wallet with billion dollar fines.”
Per The New York Times, “Beyond telecommunications, recent cyberattacks have crippled operations or have led to the release of troves of data belonging to hospital patients, Ticketmaster customers and others. In some cases, the primary goal of the attacks has not always been to steal data, but to disrupt services to such an extent that providers were more likely to pay ransoms.”