AT&T disclosed today that hackers have stolen extensive call and text message records from nearly all of its cellular network customers, potentially exposing sensitive information for millions of Americans. According to the company's SEC filing, the breach involved unauthorized access to call logs stored on a third-party cloud platform, affecting data from May 1 to October 31, 2022, and January 2, 2023.
While AT&T assured that the content of the calls and messages was not compromised, the stolen records included phone numbers, which can be cross-referenced with publicly available tools to identify individuals. This type of information, known as metadata, is considered highly sensitive as it can reveal communication patterns and connections.
AT&T, whose wireless network supports 127 million devices, emphasized that customer names were not included in the stolen data. Nonetheless, the company acknowledged the potential risks associated with such a breach, prompting investigations by the Justice Department, FBI, and FCC. AT&T stated it has implemented additional cybersecurity measures and is actively assisting law enforcement efforts to apprehend the perpetrators.
Experts in cybersecurity underscored the seriousness of the breach. John Scott-Railton from the University of Toronto's Citizen Lab described it as a "megabreach," highlighting the potential national security implications and privacy concerns akin to past revelations about government surveillance practices.
Thomas Rid, a professor at Johns Hopkins University specializing in cybersecurity, explained that metadata can provide detailed insights into individuals' daily routines and activities, underscoring the breach's significant implications for affected customers.
AT&T reassured customers that as of now, it does not believe the stolen data is publicly accessible. The company also clarified that the breach is not expected to impact its operations or financial results adversely.
This incident follows a previous security lapse where some AT&T customer names were compromised earlier this year, alongside Social Security numbers, according to industry analysts. Senator Ron Wyden of Oregon criticized the telecommunications industry's cybersecurity practices, calling for stricter oversight to protect consumer data from future breaches.
As the investigation continues, AT&T plans to notify affected customers directly and remains committed to enhancing its cybersecurity defenses to prevent future incidents.
