top of page

Cybersecurity Experts Weigh In: AT&T Discloses Six-Month Data Breach Affecting Nearly All Customers

On Friday, AT&T disclosed a significant security breach in which hackers accessed records of calls and texts of "nearly all" its cellular customers over a six-month period between May 1, 2022, and October 31, 2022. In a statement, AT&T emphasized that the compromised data did not include the content of calls or texts or sensitive personal information such as Social Security numbers, birth dates, or other personally identifiable details.

The breach also extended to records from January 2, 2023, affecting a "very small number of customers," AT&T confirmed. The telecom giant learned of the illegal download in April and has since been working closely with law enforcement, noting that "at least one person has been apprehended." While the files do not contain the content of communications, they do identify the telephone numbers interacted with during the specified periods.

"At this time, we do not believe that the data is publicly available," AT&T stated.

This incident is separate from a breach disclosed earlier this year, where hackers stole personal information of millions of current and former AT&T customers, with the data being shared on the dark web. Although the recent breach did not include personally identifiable information, security experts caution that any information can be leveraged by hackers to gain access to more sensitive data, potentially leading to fraud.

According to U.S. securities regulations, companies must disclose security breaches to customers within 30 days of becoming aware of an incident. However, when AT&T contacted the FBI about the breach, the agency authorized a delay due to security concerns. The FBI stated that after learning of the breach, it worked with AT&T and the Department of Justice to investigate the incident.

The Department of Justice justified the delay in public disclosure, noting that it could "pose a substantial risk to national security and public safety." The U.S. Federal Communications Commission (FCC) also announced an investigation into the breach on Friday.

Was I Affected?

AT&T plans to notify impacted customers via text, email, or U.S. mail. Customers can also log into their accounts to check if their data was affected. "Customers can request a report that provides a more user-friendly version of the technical information that was compromised," an AT&T spokesperson said.

Identity Theft Protection

AT&T has stated it is not providing additional identity theft protection services at this time. However, it advises customers to be wary of email or text requests asking for personal, account, or credit card information. "For example, bad actors will often send emails that try to get you to click on links that contain malicious software (known as 'phishing')," the company said. "Another technique involves sending text messages that attempt to get recipients to reveal important information like passwords or account information ('smishing')."

AT&T recommends that customers only open texts or emails from known contacts and avoid replying with personal information to unknown senders. It also advises visiting company websites directly rather than clicking on links in messages or emails, as scammers can create fake websites that mimic legitimate ones.

"In case of suspicious text activity, you may forward it to us so that we can act. Get step-by-step instructions to report unwanted text messages by following this link. Messages forwarded are free and will not count toward your text plan," AT&T stated.

Expert Commentary

Dr. Katie Paxton-Fear, Security Researcher at Traceable AI, emphasized the damage third-party breaches can cause. "When you put your trust and your customer's trust into a third party, you are implicitly linking their brand to your own. It is very important to vet the security of your vendors and ensure they have appropriate incident response plans and will alert you of data breaches."

Dan Schiappa, Chief Product and Services Officer at Arctic Wolf, highlighted the risks of identity-based attacks: "These types of attacks that exfiltrate customer records can allow attackers to piece together personal data, placing millions at risk for identity theft or fraud. Security leaders should reinforce their identity access management tools by implementing multi-factor authentication, VPNs, and regular security awareness trainings."

Jim Routh, Chief Trust Officer at Saviynt, noted the significance of the metadata breach: "The bulk of the records breached include metadata about calls made in 2022, commonly used by direct marketing organizations. It underscores the need for enterprises to invest in redesigning third-party governance models specific to credential management."

Kern Smith, Vice President at Zimperium, pointed out the importance of mobile device security: "Mobile devices are primary targets for credential compromises. Organizations must ensure both they and their vendors have appropriate security tools in place to prevent credential compromises."

Javvad Malik, Lead Security Awareness Advocate at KnowBe4, expressed concern over the extended detection period: "It is deeply concerning that AT&T failed to detect such a massive breach for an extended period. The inclusion of cell site identification numbers is particularly alarming, as it could allow for the triangulation of users' locations, compromising physical security."

Sean Deuby, Principal Technologist at Semperis, remarked on the persistence of threat actors: "Persistent threat actors are successfully targeting critical infrastructure organizations. Organizations need to have an assumed breach mindset and a backup and recovery plan to improve operational resiliency."

Jason Soroko, Senior VP of Product at Sectigo, advised implementing multi-factor authentication: "Companies using Snowflake should implement MFA to enhance security. This is true for any third-party service via an authenticated session."

Darren Guccione, CEO of Keeper Security, emphasized the importance of proactive measures: "This breach is a wake-up call for organizations to reevaluate their cybersecurity strategies. Identity applications require both authentication and end-to-end encryption to provide robust cybersecurity protection." Nick Tausek, Lead Security Automation Architect at Swimlane, underscored the need for a layered security strategy: "Telecommunication companies must view this incident as a reminder that proactive cybersecurity measures are essential. A layered security strategy including incident detection and response is crucial."

The breach serves as a stark reminder of the evolving threats to digital security and the importance of robust cybersecurity measures for both organizations and individuals.

bottom of page