Hackers stole six months’ worth of call and text records of nearly every AT&T cell phone customer, the company announced Friday, a breach that has the potential to expose sensitive information about millions of Americans.
The company told a SEC filing that it learned from an internal investigation that in April, hackers “illegally accessed and copied AT&T call logs” stored on a third-party cloud platform.
The data contains records of calls and text messages from May 1 to approximately October 31, 2022 and January 2, 2023.
The content of the calls and messages was not compromised, and customers’ personal information was not accessed — but the records included phone numbers. Such information is often called metadata, which is information about communications, and is considered highly sensitive, especially when collected and analyzed on a large scale to reveal patterns and connections between people.
AT&T’s wireless network has 127 million devices connected to it, according to the company’s 2023 annual report.
“While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a particular phone number,” the company said in its SEC filing.
The FCC said it had launched an investigation into the breach and was coordinating with law enforcement partners.
John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, which focuses on communications technology and security, called the hack a “megabreach,” noting that stolen metadata on this scale has the potential to be significant threat to national security. as well as a problem for businesses and individuals.
“These are incredibly sensitive pieces of personal information, and when taken together on the scale of the information that appears to be included in this AT&T breach, they present a massive NSA-like window into the activity of Americans,” he said, nodding to the leaks from Edward Snowden that exposed the National Security Agency’s massive collection of metadata.
Thomas Rid, professor of strategic studies and director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University, said metadata can reveal personal details about people, though he cautioned that more needs to be learned about what the hackers took from AT&T before the full picture of the threat will be clear.
“If you have somebody’s metadata, you know when they go to work, where they go to work, where they sleep every night,” he said.
AT&T said it “has taken additional cybersecurity measures in response to this incident, including closing the point of illegal access.” Customers affected by the hack will be notified, it said.
The company said the US Department of Justice decided it should publicly release details of the hack – on May 8 and June 5 – but only after an unspecified delay.
AT&T added that it is assisting law enforcement officials in their efforts to apprehend the hackers.
“Based on information available to AT&T, it is our understanding that at least one person has been arrested,” the company said, without elaborating.
The company sought to reassure customers that, at least as of Friday, “AT&T does not believe the data is publicly available.”
The filing also said the hack would not affect its operations or negatively impact its financial results.
Metadata itself does not include a person’s real name, although this information can be easily found online.
However, the hack announced Friday could pose an even greater threat to AT&T users due to a previous security issue. Some AT&T customer names were previously released in a breach announced in March, according to Jake Williams, vice president of research and development at Hunter Strategy, an IT consulting firm. This incident also involved social security numbers.
“The previously compromised and released AT&T data will help threat actors map a large percentage of the phone numbers in these customer records to the actual victims that were affected,” Williams said in an email to NBC News.
Sen. Ron Wyden, D-Ore., said in a statement that the breach was indicative of the lax legal environment in which telecommunications companies operate.
“This is not the first data breach disclosed by a major phone company, and it won’t be the last,” he said. “These hacks, which are almost always the result of poor cyber security, won’t end until the FCC starts holding carriers accountable for their negligence. These companies will continue to limit customer security until it hits them in the wallet with billions of dollars in fines.”
— This is a developing story. Check back for updates.
— Rob Wile and Brian Cheung contributed.