The call and text message records from mid-to-late 2022 of tens of millions of AT&T cellphone customers and many non-AT&T customers were exposed in a massive data breach, the telecom company revealed on Friday.
AT&T disclosed that the compromised data includes the telephone numbers of “nearly all” of its cellular customers and customers of wireless providers using its network between May 1, 2022, and October 31, 2022. The stolen logs also contain records of every number AT&T customers called or texted, including those of other wireless networks, the number of interactions, and call duration.
Significantly, AT&T clarified that the stolen data did not include the contents or timestamps of the calls and text messages. Records from a “very small number” of customers from January 2, 2023, were also affected, the company said.
The Federal Communications Commission (FCC) stated its ongoing investigation into the AT&T breach and coordination with law enforcement partners via social media platform X.
AT&T attributed the breach to an “illegal download” on a third-party cloud platform discovered in April, coinciding with an unrelated major data leak. The company believes that the exposed data is not publicly available, although CNN could not independently verify this claim.
AT&T spokesperson Alex Byers informed CNN that this incident was entirely new and unrelated to another breach disclosed in March, which involved the release of personal information such as Social Security numbers of 73 million current and former customers onto the dark web.
The company expressed sincere regret over the incident and reaffirmed its commitment to protecting the information in its care. AT&T had approximately 110 million wireless subscribers as of the end of 2022 and noted that international calls were not included in the stolen data, except those to Canada.
The breach also affected AT&T landline customers who interacted with affected cell numbers. AT&T emphasized that the stolen data did not include call or text contents, personal information like Social Security numbers, dates of birth, or customer names. However, the company acknowledged that publicly available tools could often link names with specific phone numbers.
Additionally, an undisclosed subset of records included cell site identification numbers linked to the calls and texts, potentially revealing the broad geographic locations of involved parties.
AT&T suspects that at least one person involved in the cybercriminal incident is in custody, as reported in a filing with the Securities and Exchange Commission. The FBI declined to comment on this statement.
The company promised to notify current and former customers affected by the breach and provide them with resources to protect their information. While specific usage details were not compromised, call and text message numbers and total call durations for certain days or months were exposed.
AT&T revealed it learned on April 19 that a “threat actor” claimed to have unlawfully accessed and copied AT&T call logs. An immediate investigation determined that files were exfiltrated between April 14 and April 25.
The company said the US Department of Justice determined in May and June that delaying public disclosure was warranted due to potential national security or public safety risks. The FBI stated that AT&T reached out soon after learning about the hack, and the agency wanted to review the data for potential risks.
This appears to be the first instance where the Justice Department requested a company delay filing a disclosure with the SEC due to national security concerns.
Experts emphasized the potential value of the stolen data to cybercriminals and nation-states. Threat actors could correlate cell ID data with other information to pinpoint sensitive locations, while mapping connections between individuals could facilitate social engineering attacks.
Following the news, AT&T shares fell 1% on Friday. The company learned in April that customer data was illegally downloaded from its workspace on Snowflake, a third-party cloud platform. Other major companies, including Ticketmaster and Santander Bank, have also experienced data breaches linked to Snowflake. Snowflake’s chief information security officer, Brad Jones, stated that investigations found no evidence the breaches were caused by vulnerabilities or misconfigurations of Snowflake’s platform.
AT&T launched an investigation, hired cybersecurity experts, and took steps to close the “illegal access point.”