The call and text message records of tens of millions of AT&T cellphone customers in mid-to-late 2022 were exposed in a massive data breach, the telecom company revealed Friday.
AT&T blamed an “illegal download” on a third-party cloud platform that it learned about in April – just as the company was grappling with an unrelated major data leak.
AT&T said the compromised data includes the telephone numbers of “nearly all” of its cellular customers and the customers of wireless providers that use its network between May 1, 2022 and October 31, 2022.
The records of a “very small number” of customers on January 2, 2023 were also implicated, AT&T said. The content of the calls and texts were not exposed, according to the company.
AT&T listed approximately 110 million wireless subscribers as of the end of 2022.
The breach also included AT&T landline customers who interacted with those cell numbers.
AT&T said customer names were not exposed in this incident, however the company acknowledged that publicly-available tools can often link names with specific phone numbers.
Additionally, AT&T said that for an undisclosed subset of its records, one or more cell site identification numbers linked to the calls and texts were also exposed. Such data could reveal where the broad geographic location of one or more of the parties.
“At this time, we do not believe that the data is publicly available,” AT&T said in a statement. “We sincerely regret this incident occurred and remain committed to protecting the information in our care.”
AT&T promised to notify current and former customers whose information was involved and provide them resources to protect their information.
Although the breach exposed phone and text records, AT&T said it does not contain the contents of the calls or texts, nor does it contain personal information such as Social Security numbers, dates of birth or other personally identifiable information.
Usage details such as the time of calls and text messages were not compromised either.
AT&T said it learned on April 19 that a “threat actor claimed to have unlawfully accessed and copied AT&T call logs.” The company said it “immediately” hired experts and a subsequent investigation determined hackers and exfiltrated files between April 14 and April 25.
The company said the US Department of Justice Department determined in May and in June that a delay in public disclosure was warranted. It’s not clear why that the US government requested that data be delayed.
AT&T spokesperson Alex Byers told CNN that this new incident has “no connection in any way” to an incident disclosed in March. At that time, AT&T said personal information such as Social Security numbers on 73 million current and former customers was released onto the dark web.
In the new incident, AT&T told CNN it learned in April that customer data was illegally downloaded from its workspace on Snowflake, a third-party cloud platform.
AT&T said it launched an investigation, hired cybersecurity experts and took steps to close the “illegal access point.”
The company said it’s cooperating with law enforcement’s efforts to apprehend those responsible and understands at least one person has already been arrested.