AT&T on Friday issued a notice saying it suffered a data breach that affects "nearly all" of its cellular customers (not to be confused with a
separate AT&T data breach earlier this year). At last official count, AT&T said it serves around 109 million wireless subscribers, and given that most of those customers are affected, this qualifies as one of the largest breaches ever in the United States. Fortunately, sensitive data sets such as social security numbers and other personally identifiable information were not compromised.
Instead, the guilty party managed to download files containing AT&T records of calls of texts from a workspace on a third-party cloud platform. The stolen data includes records not only from AT&T's cellular customers, but also from customers of mobile virtual network operators (MVNOs) piggybacking on AT&T's towers, and AT&T's landline customers who interacted with the affected cellular numbers.
"We launched an investigation and engaged leading cybersecurity experts to understand the nature and scope of the criminal activity. We have taken steps to close off the illegal access point. We are working with law enforcement in its efforts to arrest those involved in the incident. We understand that at least one person has been apprehended,"
AT&T stated in a notice on its website.
AT&T also confirmed the breach in a regulatory filing, saying that a threat actor gained unlawful access between April 14 and April 25, 2024. The call and text records that were illegally downloaded "occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023." AT&T stated in the
Form 8-K filing (PDF).
Why does this matter if personal details and conversations were not exposed? A couple of reasons come to mind. One is as AT&T points out, a motivated cyber-jerk could plug those numbers into various online tools to figure out identities of millions of subscribers.
Secondly, that information could be further used to script personalized phishing texts and calls. It's a numbers game and even just half a percent of affected customers fall for the ruse, it amounts to over 500,000 people. Bear in mind that it's not just AT&T customers who at risk, but anyone who fielded a call or text from an AT&T subscriber and/or one of its MVNOs. That's all to say, keep your head on a swivel, folks. You may also want to take Google up on its expanded offer for
free dark web monitoring.
"We sincerely regret this incident occurred and remain committed to protecting the information in our care," AT&T said.