Nearly all call and text message records of AT&T cellphone customers have been exposed in a massive breach
CNN
—
Call and text message records from mid- to late 2022 of tens of millions of AT&T cellphone customers and many non-AT&T customers were exposed in a massive data breach, the telecommunications company revealed Friday.
AT&T said the compromised data includes the phone numbers of “nearly all” of its mobile customers and those of wireless carrier customers using its network between May 1, 2022, and Oct. 31, 2022.
The stolen records also contain a record of every number that AT&T customers called or texted — including customers of other wireless networks — the number of times they interacted and the duration of the call.
Importantly, AT&T said the stolen data did not include the content of calls and text messages, nor the timing of those communications.
Records from a “very small number” of customers from Jan. 2, 2023, were also implicated, AT&T said.
“We have an ongoing investigation into the AT&T breach and are coordinating with our law enforcement partners,” the FCC said on social media platform X.
The company blamed an “illegal download” on a third-party cloud platform, which it became aware of in April — at a time when the company was dealing with a massive, unrelated data breach.
AT&T says the exposed data is not believed to be publicly available, but CNN was unable to independently verify that claim.
AT&T spokesperson Alex Byers told CNN that this was a completely new incident that was “not connected in any way” to another incident reported in March. At the time, AT&T said that personal information, including Social Security numbers of 73 million current and former customers, had been leaked on the dark web.
“We sincerely regret that this incident occurred and remain committed to protecting the information in our care,” the company said in a statement about the latest breach.
AT&T listed approximately 110 million wireless subscribers as of the end of 2022. AT&T said international calls were not included in the stolen data, with the exception of calls to Canada.
The breach also included AT&T landline customers who interacted with these mobile numbers.
AT&T said the content of calls or text messages, personal information like Social Security numbers, dates of birth or customer names were not exposed in this incident, however the company acknowledged that publicly available tools can often link names to specific phone numbers.
Additionally, AT&T said that for an undisclosed subset of its records, one or more cell site identification numbers tied to the calls and texts were also exposed. This data could reveal the broad geographic location of one or more parties.
AT&T promised to notify current and former customers whose information was involved and provide them with resources to protect their information.
Usage details, such as the timing of calls and text messages, were also not compromised. But AT&T spokesperson Byers told CNN that the number of calls and texts, and the total duration of calls for specific days or months, were exposed.
This means the data wouldn’t pinpoint precisely when one phone number called another, but it could reveal how often two parties called each other — and how long they talked — on specific days.
AT&T said it learned on April 19 that a “threat actor claimed to have illegally accessed and copied AT&T call records.” The company said it “immediately” hired experts and a subsequent investigation determined that hackers had exfiltrated files between April 14 and April 25.
The company said the U.S. Justice Department determined in May and June that a delay in public disclosure was warranted. The FBI said AT&T reached out soon after learning about the hack, but the agency wanted to review the data for potential national security risks.
“In assessing the nature of the breach, all parties discussed a possible delay in public reporting…due to potential risks to national security and/or public safety,” the FBI said in a statement. “AT&T, the FBI, and the DOJ worked collaboratively during the first and second delay processes, while also sharing essential threat intelligence to enhance the FBI’s investigative efforts and assist AT&T’s incident response efforts.”
“This is very concerning. This information is very valuable to cybercriminals and nation states,” Sanaz Yashar, co-founder and CEO of cybersecurity firm Zafran, told CNN.
Yashar, formerly an Israeli cyber spy, said threat actors can correlate cell identification data with other readily available information to identify where someone works — including in sensitive locations like the White House and the Pentagon.
“You don’t need the timestamp. If someone is there every day, you can understand that they work and follow their routine. That’s very secret information and a way for spies to do things.”
AT&T shares fell 1% on Friday following the news.
In the new incident, AT&T told CNN that it discovered in April that customer data had been illegally downloaded from its workspace on Snowflake, a third-party cloud platform.
Brad Jones, Snowflake’s chief information security officer, told CNN in a separate statement that the company has found no evidence that this activity was “caused by a vulnerability, misconfiguration, or breach of the Snowflake platform.” Jones said this was verified by investigations by third-party cybersecurity experts from Mandiant and CrowdStrike.
AT&T said it launched an investigation, hired cybersecurity experts and took steps to shut down the “illegal access point.”
The company said it is cooperating with law enforcement efforts to apprehend those responsible and understands that at least one person has already been arrested.
This story has been updated with additional context and developments.
