Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

US telco giant AT&T confirms data breach affecting more than 100m people

“Nearly all” of the company’s customers were impacted by an April 2024 data breach relating to cellular activity for a period of six months in 2022.

user icon David Hollingworth
Mon, 15 Jul 2024
US telco giant AT&T confirms data breach affecting more than 100m people
expand image

AT&T advised its customers late last week of a data breach impacting “nearly all” of its cellular customers and customers who had interacted with the cellular network.

According to the 12 July notification on the company’s website, the incident took place between 14 April and 25 April 2024, with the company learning of the incident on 19 April.

“In April, AT&T learned that customer data was illegally downloaded from our workspace on a third-party cloud platform,” AT&T said in its advisory.

============
============

“We launched an investigation and engaged leading cyber security experts to understand the nature and scope of the criminal activity. We have taken steps to close off the illegal access point. We are working with law enforcement in its efforts to arrest those involved in the incident. We understand that at least one person has been apprehended.”

The compromised data includes “records of calls and texts of nearly all of AT&T’s cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network, as well as AT&T’s landline customers who interacted with those cellular numbers”, AT&T said.

The records include telephone numbers AT&T or MVNO cellular numbers interacted with during the period. Cell site ID numbers were also impacted for a smaller subset of records, and some data from 2 January 2023 was also breached.

The good news is the data breach only appears to impact call records, not personal information.

“The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information. It also does not include some typical information you see in your usage details, such as the time stamp of calls or texts,” AT&T said.

“While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number.”

AT&T does not believe the data is currently publicly available, and no threat actor has yet taken responsibility for the hack. The company’s filing with the US Securities and Exchange Commission goes into more detail on the impacted records.

“These records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month,” AT&T said in its SEC filing.

The US Federal Communications Commission said in a post on the X platform that it has begun “an ongoing investigation into the AT&T breach, and we’re coordinating with our law enforcement partners”.

It was revealed in a statement by the FBI that the US Department of Justice had suggested AT&T delay disclosure of the incident.

“In assessing the nature of the breach, all parties discussed a potential delay to public reporting due to potential risks to national security and/or public safety,” the FBI said in a widely reported statement.

“AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.”

According to Wikipedia, AT&T had 114.5 million customers as of March 2024.

Darren Guccione, CEO and co-founder of Keeper Security, said the incident was a serious blow given it’s AT&T’s second data breach this year.

“AT&T’s latest announcement revealing another major data breach is a painful second blow to the millions of customers who have already lost trust after having their private information exposed by the company earlier this year. Although the leaked phone records do not contain the contents of calls and text messages, they do provide records of who customers interacted with, and some include identification numbers that could help bad actors determine where calls were made and texts were sent,” Guccione said.

“The disclosure of this information – following the leak of Social Security numbers, names, email and mailing addresses, phone numbers, dates of birth, account numbers and passcodes – is a clear violation of personal privacy and trust. These massive breaches, affecting millions of customers, underscore the persistent and evolving threats to digital security and why everyone must take concrete, proactive steps to safeguard their own sensitive information.”


UPDATED 15/07/24 to add Keeper Security commentary

David Hollingworth

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.