The call and text message records of tens of millions of AT&T cellphone customers, as well as many non-AT&T customers, were exposed in a significant data breach, the telecom company revealed on Friday. The compromised data includes the telephone numbers of nearly all AT&T cellular customers and the customers of wireless providers that use its network from May 1, 2022, to October 31, 2022.
The stolen logs encompass every number AT&T customers called or texted, the number of interactions, and the duration of calls. However, AT&T clarified that the contents of calls and text messages, as well as the times of these communications, were not compromised. A very small number of records from January 2, 2023, were also affected.
Nature of the Breach
AT&T attributed the breach to an “illegal download” on a third-party cloud platform, which the company discovered in April. The telecom giant was already grappling with an unrelated major data leak at the time. AT&T confirmed that the exposed data is not believed to be publicly available, though this assertion remains unverified by CNN.
AT&T spokesperson Alex Byers stated that this incident was entirely new and had no connection to a previous breach disclosed in March. That earlier incident involved the release of personal information, including Social Security numbers, of 73 million current and former customers onto the dark web.
Company Response and Investigation
“We sincerely regret this incident occurred and remain committed to protecting the information in our care,” AT&T said in a statement. The company has approximately 110 million wireless subscribers as of the end of 2022. AT&T assured that international calls, except those to Canada, were not included in the stolen data.
The breach also affected AT&T landline customers who interacted with the compromised cell numbers. Although personal information such as Social Security numbers, dates of birth, or customer names were not exposed, AT&T acknowledged that publicly available tools could link names to specific phone numbers. Additionally, for an undisclosed subset of records, one or more cell site identification numbers linked to the calls and texts were exposed, potentially revealing the broad geographic location of the parties involved.
Law Enforcement Involvement
AT&T is coordinating with law enforcement in an ongoing investigation. The Federal Communications Commission (FCC) mentioned the investigation on social media platform X. The company disclosed in a filing with the Securities and Exchange Commission (SEC) that at least one person involved in the cybercriminal incident is in custody. The FBI declined to comment on this matter.
AT&T promised to notify current and former customers whose information was involved and provide them with resources to protect their information. While the exact times of calls and texts were not compromised, the number of calls, text messages, and total call durations for specific days or months were exposed. This data could reveal how often two parties communicated and the duration of their interactions on specific days.
Delay in Public Disclosure
AT&T said it learned on April 19 that a “threat actor claimed to have unlawfully accessed and copied AT&T call logs.” The company immediately hired experts, and an investigation determined that hackers had exfiltrated files between April 14 and April 25.
The US Department of Justice (DOJ) determined in May and June that a delay in public disclosure was warranted due to potential national security or public safety risks. The FBI reviewed the data for such risks before allowing the public disclosure.
Security Concerns and Implications
“This is very concerning. This information is very valuable to cyber criminals and to nation-states,” said Sanaz Yashar, co-founder and CEO of cybersecurity firm Zafran. The exposed cell ID data could help threat actors pinpoint sensitive locations, such as workplaces at the White House and Pentagon.
The cell site data could be used by bad actors to determine geolocation and make social engineering attacks more believable, noted Jason Hogg, a former FBI special agent.
AT&T’s shares fell 1% following the news. The company discovered in April that customer data was illegally downloaded from its workspace on Snowflake, a third-party cloud platform. Snowflake has also been linked to recent data breaches at Ticketmaster and Santander Bank. Snowflake’s chief information security officer, Brad Jones, stated that investigations by third-party cybersecurity experts have not found evidence of a vulnerability, misconfiguration, or breach of Snowflake’s platform.
AT&T took immediate steps to close the illegal access point and hired cybersecurity experts to assist in the investigation. The telecom company remains committed to protecting customer information and addressing the breach’s ramifications.
